Crashes (and potential code injection) if pwd contains spaces or special characters

[jimrandomh]

https://github.com/gajus/pg-formatter/blob/master/src/format.js#L112 runs perl with an executablePath which is not properly quoted. If the working-directory name contains spaces or other special characters, they will be interpreted as shell syntax. In the normal case, someone made the mistake of checking out their project to a directory with spaces in a parent path, and this winds up crashing. (This happened to another developer on my team). In the worst case, admittedly an unlikely case given how this library would normally be used but definitely not impossible, this is running in a context where the parent path has an attacker-controlled directory name in it, and this injects arbitrary shell or perl code.

[github-actions]

🎉 This issue has been resolved in version 2.0.6 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[npdev453]

@jimrandomh, Hi! Could you please review a changes in new release? And maybe can ask another developer on your team to check it?