[dev-tool] more secure fix for spawning process

[jeremymeng]

Currently when we run vendored commands, for windows we set shell: true. This is subject to injection attacks https://github.com/Azure/azure-sdk-for-js/pull/29414#issuecomment-2075603910

This work item tracks a more robust fix. We could port rush's utility at https://github.com/microsoft/rushstack/blob/5d9c506caec86b1d2b979703c893b67481451bb5/libraries/node-core-library/src/Executable.ts#L674