fixup! fix(ng-dev): prevent OS command injection in ChildProcess wrappers

Address reviewer feedback from alan-agius4 and josephperrott:
- Expose shell as an optional boolean on SpawnOptions and SpawnSyncOptions
  (removed from Omit<>) so callers can explicitly opt-in when shell
  features are genuinely required (e.g. sourcing shell scripts with
  '. ~/.nvm/nvm.sh && nvm install').
- Default shell to false via 'options.shell ?? false' in both spawn()
  and spawnSync(), making the secure behavior the default while
  preserving backward compatibility for existing shell: true callers.
- Remove incorrect Linux/macOS-only comments; ng-dev targets all platforms.
- Remove @deprecated tag from exec() per alan-agius4 suggestion.
- Simplify Log.warn in exec() to remove the command string.

Author: herdiyana256

ng-dev/utils/child-process.ts

@@ -31,10 +31,10 @@ export interface CommonCmdOpts {
 
 /** Interface describing the options for spawning a process synchronously. */
 export interface SpawnSyncOptions
-  extends CommonCmdOpts, Omit<_SpawnSyncOptions, 'shell' | 'stdio' | 'input'> {}
+  extends CommonCmdOpts, Omit<_SpawnSyncOptions, 'stdio' | 'input'> {}
 
 /** Interface describing the options for spawning a process. */
-export interface SpawnOptions extends CommonCmdOpts, Omit<_SpawnOptions, 'shell' | 'stdio'> {}
+export interface SpawnOptions extends CommonCmdOpts, Omit<_SpawnOptions, 'stdio'> {}
 
 /** Interface describing the options for exec-ing a process. */
 export interface ExecOptions extends CommonCmdOpts, Omit<_ExecOptions, 'shell' | 'stdio'> {}
@@ -85,11 +85,10 @@ export abstract class ChildProcess {
    * @returns The command's stdout and stderr.
    */
   static spawnSync(command: string, args: string[], options: SpawnSyncOptions = {}): SpawnResult {
-    // Pass args as a proper array with shell: false to prevent OS command injection.
-    // When shell: true is used, Node.js internally joins command + args into a single
-    // string evaluated by /bin/sh, making shell metacharacters in args exploitable.
-    // Note: shell: false may affect .cmd/.bat execution on Windows, but ng-dev
-    // targets Linux/macOS CI environments where this is not a concern.
+    // Default shell to false to prevent OS command injection: with shell: true, Node.js
+    // internally joins command + args into a single string evaluated by /bin/sh, making
+    // shell metacharacters in args exploitable. Callers that genuinely require shell
+    // features (e.g. sourcing shell scripts) may explicitly pass shell: true.
     const commandText = `${command} ${args.join(' ')}`;
     const env = getEnvironmentForNonInteractiveCommand(options.env);
 
@@ -100,7 +99,7 @@ export abstract class ChildProcess {
       signal,
       stdout,
       stderr,
-    } = _spawnSync(command, args, {...options, env, encoding: 'utf8', shell: false, stdio: 'pipe'});
+    } = _spawnSync(command, args, {...options, env, encoding: 'utf8', shell: options.shell ?? false, stdio: 'pipe'});
 
     /** The status of the spawn result. */
     const status = statusFromExitCodeAndSignal(exitCode, signal);
@@ -121,18 +120,17 @@ export abstract class ChildProcess {
    *   rejects on command failure.
    */
   static spawn(command: string, args: string[], options: SpawnOptions = {}): Promise<SpawnResult> {
-    // Pass args as a proper array with shell: false to prevent OS command injection.
-    // When shell: true is used, Node.js internally joins command + args into a single
-    // string evaluated by /bin/sh, making shell metacharacters in args exploitable.
-    // Note: shell: false may affect .cmd/.bat execution on Windows, but ng-dev
-    // targets Linux/macOS CI environments where this is not a concern.
+    // Default shell to false to prevent OS command injection: with shell: true, Node.js
+    // internally joins command + args into a single string evaluated by /bin/sh, making
+    // shell metacharacters in args exploitable. Callers that genuinely require shell
+    // features (e.g. sourcing shell scripts) may explicitly pass shell: true.
     const commandText = `${command} ${args.join(' ')}`;
     const env = getEnvironmentForNonInteractiveCommand(options.env);
 
     return processAsyncCmd(
       commandText,
       options,
-      _spawn(command, args, {...options, env, shell: false, stdio: 'pipe'}),
+      _spawn(command, args, {...options, env, shell: options.shell ?? false, stdio: 'pipe'}),
     );
   }
 
@@ -143,14 +141,10 @@ export abstract class ChildProcess {
    *
    * @returns a Promise resolving with captured stdout and stderr on success. The promise
    *   rejects on command failure.
-   * @deprecated Use ChildProcess.spawn with an explicit args array instead.
-   *   exec() passes the command string directly to the shell, making it susceptible
-   *   to command injection via shell metacharacters in the command string.
    */
   static exec(command: string, options: ExecOptions = {}): Promise<SpawnResult> {
     Log.warn(
-      `ChildProcess.exec is discouraged as it is susceptible to command injection ` +
-      `(command: ${command}). Prefer ChildProcess.spawn with an array of arguments.`,
+      'ChildProcess.exec is susceptible to command injection. Prefer ChildProcess.spawn with an explicit args array.',
     );
     const env = getEnvironmentForNonInteractiveCommand(options.env);
     return processAsyncCmd(command, options, _exec(command, {...options, env}));