Command injection due to use of child.execSync with unsanitized user input

[djameson42]

This action seems vulnerable to command injection due to the use of child.execSync on unsanitized user input. See here for documentation which says

"Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution."

Is there any plans to change this? Or is it by design to execute user input inside a shell in this way?

This also affects other bufbuild/buf-* actions