From e0bffcbbf788e7a1ff762417a6540d97164cbe3a Mon Sep 17 00:00:00 2001
From: "Shankar D. Warang" <shankar@edgeware.community>
Date: Tue, 6 Jan 2026 00:24:44 +0530
Subject: [PATCH] fix for uncontrolled command line

Code that passes untrusted user input directly to child_process.exec or similar APIs that execute shell commands allows the user to execute malicious code.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 scripts/run-with-pm.cjs | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/scripts/run-with-pm.cjs b/scripts/run-with-pm.cjs
index bf3a350..872bd51 100755
--- a/scripts/run-with-pm.cjs
+++ b/scripts/run-with-pm.cjs
@@ -5,7 +5,7 @@
  * Usage: node scripts/run-with-pm.js <command>
  */
 
-const { execSync } = require("child_process");
+const { execSync, execFileSync } = require("child_process");
 
 function detectPackageManager() {
   try {
@@ -22,15 +22,18 @@ function detectPackageManager() {
 }
 
 const pm = detectPackageManager();
-const command = process.argv.slice(2).join(" ");
+const argv = process.argv.slice(2);
 
-if (!command) {
+if (argv.length === 0) {
   console.error("Error: No command provided");
   process.exit(1);
 }
 
+const subcommand = argv[0];
+const args = argv.slice(1);
+
 try {
-  execSync(`${pm} ${command}`, { stdio: "inherit" });
+  execFileSync(pm, [subcommand, ...args], { stdio: "inherit" });
 } catch (error) {
   process.exit(error.status || 1);
 }