Skip to content

fix(utils): quote shell arguments to prevent malicious injection#1136

Draft
matejchalk wants to merge 1 commit into
mainfrom
remove-shell-true
Draft

fix(utils): quote shell arguments to prevent malicious injection#1136
matejchalk wants to merge 1 commit into
mainfrom
remove-shell-true

Conversation

@matejchalk

@matejchalk matejchalk commented Nov 4, 2025

Copy link
Copy Markdown
Collaborator

Attempt to resolve CodeQL alert.

The shell: true flag was introduced way back in #165, and is necessary for Windows support.

@nx-cloud

nx-cloud Bot commented Nov 4, 2025

Copy link
Copy Markdown

View your CI Pipeline Execution ↗ for commit 08a67cb

Command Status Duration Result
nx code-pushup --nx-bail -- print-config --outp... ❌ Failed 1m 6s View ↗

☁️ Nx Cloud last updated this comment at 2025-11-06 10:55:46 UTC

@pkg-pr-new

pkg-pr-new Bot commented Nov 4, 2025

Copy link
Copy Markdown

Open in StackBlitz

@code-pushup/ci

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/ci@1136

@code-pushup/cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/cli@1136

@code-pushup/core

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/core@1136

@code-pushup/create-cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/create-cli@1136

@code-pushup/models

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models@1136

@code-pushup/nx-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/nx-plugin@1136

@code-pushup/coverage-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/coverage-plugin@1136

@code-pushup/eslint-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/eslint-plugin@1136

@code-pushup/js-packages-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/js-packages-plugin@1136

@code-pushup/jsdocs-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/jsdocs-plugin@1136

@code-pushup/lighthouse-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/lighthouse-plugin@1136

@code-pushup/typescript-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/typescript-plugin@1136

@code-pushup/utils

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/utils@1136

@code-pushup/models-transformers

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models-transformers@1136

commit: 08a67cb

@github-actions github-actions Bot added 🔬 testing writing tests 🧩 eslint-plugin 🧩 coverage-plugin 🧩 js-packages-plugin Plugin for audit and outdated dependencies labels Nov 6, 2025
@matejchalk matejchalk changed the title fix(utils): remove unsafe shell:true option from executeProcess Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment