diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 692d05b..b8ab80f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,7 +5,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        node: [8, 16, 18, 20, latest]
+        node: [18, 20, 22, latest]  # https://nodejs.org/en/about/previous-releases
     runs-on: ${{ matrix.os }}
     name: ${{ matrix.os }} / Node ${{ matrix.node }}
     steps:
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..da9c516
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,5 @@
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
diff --git a/bin.js b/bin.js
index 3fbcdf0..c778e0a 100755
--- a/bin.js
+++ b/bin.js
@@ -16,7 +16,9 @@ if (!buildFromSource()) {
 }
 
 function build () {
-  var args = [os.platform() === 'win32' ? 'node-gyp.cmd' : 'node-gyp', 'rebuild']
+  var win32 = os.platform() === 'win32'
+  var shell = win32
+  var args = [win32 ? 'node-gyp.cmd' : 'node-gyp', 'rebuild']
 
   try {
     var pkg = require('node-gyp/package.json')
@@ -25,9 +27,10 @@ function build () {
       path.join(require.resolve('node-gyp/package.json'), '..', typeof pkg.bin === 'string' ? pkg.bin : pkg.bin['node-gyp']),
       'rebuild'
     ]
+    shell = false
   } catch (_) {}
 
-  proc.spawn(args[0], args.slice(1), { stdio: 'inherit' }).on('exit', function (code) {
+  proc.spawn(args[0], args.slice(1), { stdio: 'inherit', shell, windowsHide: true }).on('exit', function (code) {
     if (code || !process.argv[3]) process.exit(code)
     exec(process.argv[3]).on('exit', function (code) {
       process.exit(code)
@@ -45,15 +48,18 @@ function preinstall () {
 
 function exec (cmd) {
   if (process.platform !== 'win32') {
-    var shell = os.platform() === 'android' ? 'sh' : '/bin/sh'
-    return proc.spawn(shell, ['-c', '--', cmd], {
+    var shell = os.platform() === 'android' ? 'sh' : true
+    return proc.spawn(cmd, [], {
+      shell,
       stdio: 'inherit'
     })
   }
 
-  return proc.spawn(process.env.comspec || 'cmd.exe', ['/s', '/c', '"' + cmd + '"'], {
+  return proc.spawn(cmd, [], {
     windowsVerbatimArguments: true,
-    stdio: 'inherit'
+    stdio: 'inherit',
+    shell: true,
+    windowsHide: true
   })
 }
 
diff --git a/package.json b/package.json
index 86319f3..b8c4442 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "node-gyp-build",
-  "version": "4.8.0",
+  "version": "4.8.2",
   "description": "Build tool and bindings loader for node-gyp that supports prebuilds",
   "main": "index.js",
   "devDependencies": {