Potential fix for code scanning alert no. 12: Shell command built from environment values

[Tanker187]

Potential fix for https://github.com/Tanker187/vite/security/code-scanning/12

In general, you should avoid concatenating filesystem paths or environment-derived values into a single shell command string. Instead, call the underlying program directly and pass dynamic parts as arguments, bypassing the shell so that special characters in paths cannot alter the command structure.

Here, the only problematic use is const buildCommand = ${viteBinPath} buildpassed to `execaCommand(buildCommand, ...)`. We can replace this with a non‑shell call to `execa` that takes `viteBinPath` as the executable and `['build']` as its argument list. That way, `viteBinPath` is never parsed by a shell; it’s used directly as a program path, and `"build"` is a separate argument. To preserve logging, we can keep a human‑readable string for error messages (e.g.const buildCommandDisplay = `"${viteBinPath}" build"``) while using the safer API for execution.

Concretely in playground/cli/__tests__/serve.ts:

• Import execa instead of (or alongside) execaCommand.
• Inside the if (isBuild) block, replace:
  • const buildCommand = ${viteBinPath} build`` with:
    • a display string for logging; and
    • a safe call like execa(viteBinPath, ['build'], { ... }).
• Update the error logging to use the display string instead of the now‑removed buildCommand variable.

No changes are needed in playground/vitestSetup.ts.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.