From 1ad971cbbfd9037dce5d15bdc79e8293b1a26f4c Mon Sep 17 00:00:00 2001
From: mhassan1 <marc.j.hassan@gmail.com>
Date: Tue, 16 Sep 2025 12:47:32 -0400
Subject: [PATCH 1/2] fix(utils): remove incorrect `async` from `emptyFolder`

---
 lib/utils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 3c9ad024e..4361c0297 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -476,7 +476,7 @@ module.exports.isNotSet = function (obj) {
   return false
 }
 
-module.exports.emptyFolder = async directoryPath => {
+module.exports.emptyFolder = directoryPath => {
   require('child_process').execSync(`rm -rf ${directoryPath}/*`)
 }
 

From c96ca5b5eb82c0b3a7082a3db78ba56dd4c3b052 Mon Sep 17 00:00:00 2001
From: mhassan1 <marc.j.hassan@gmail.com>
Date: Tue, 16 Sep 2025 12:48:40 -0400
Subject: [PATCH 2/2] fix(utils): resolve command injection vulnerability in
 `emptyFolder`

---
 lib/utils.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 4361c0297..408600000 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -477,7 +477,11 @@ module.exports.isNotSet = function (obj) {
 }
 
 module.exports.emptyFolder = directoryPath => {
-  require('child_process').execSync(`rm -rf ${directoryPath}/*`)
+  // Do not throw on non-existent directory, since it may be created later
+  if (!fs.existsSync(directoryPath)) return
+  for (const file of fs.readdirSync(directoryPath)) {
+    fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })
+  }
 }
 
 module.exports.printObjectProperties = obj => {