cli fix(utils): quote shell arguments to prevent malicious injection

Attempt to resolve CodeQL alert.

The shell: true flag was introduced way back in #165, and is necessary for Windows support.

Nov 04 '25 16:11 matejchalk

View your CI Pipeline Execution ↗ for commit 08a67cb8d50da8c8381678f7723c784f3e08f29a

Command	Status	Duration	Result
`nx code-pushup --nx-bail -- print-config --outp...`	❌ Failed	1m 6s	View ↗

☁️ Nx Cloud last updated this comment at 2025-11-06 10:55:46 UTC

Nov 04 '25 16:11 nx-cloud[bot]

@code-pushup/ci

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/ci@1136

@code-pushup/cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/cli@1136

@code-pushup/core

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/core@1136

@code-pushup/create-cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/create-cli@1136

@code-pushup/models

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models@1136

@code-pushup/nx-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/nx-plugin@1136

@code-pushup/coverage-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/coverage-plugin@1136

@code-pushup/eslint-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/eslint-plugin@1136

@code-pushup/js-packages-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/js-packages-plugin@1136

@code-pushup/jsdocs-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/jsdocs-plugin@1136

@code-pushup/lighthouse-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/lighthouse-plugin@1136

@code-pushup/typescript-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/typescript-plugin@1136

@code-pushup/utils

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/utils@1136

@code-pushup/models-transformers

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models-transformers@1136

commit: 08a67cb

Nov 04 '25 16:11 pkg-pr-new[bot]