chore: use execFileSync for safety in release scripts

Author: danielroe

scripts/bump-nightly.ts

@@ -1,5 +1,5 @@
 import process from 'node:process'
-import { execSync } from 'node:child_process'
+import { execFileSync } from 'node:child_process'
 import { inc } from 'semver'
 import { determineBumpType, getLatestTag, loadWorkspace } from './_utils.ts'
 
@@ -13,13 +13,13 @@ const nightlyPackages = {
 export async function bumpNightly () {
   const workspace = await loadWorkspace(process.cwd())
 
-  const commit = execSync('git rev-parse --short HEAD').toString('utf-8').trim().slice(0, 8)
+  const commit = execFileSync('git', ['rev-parse', '--short', 'HEAD'], { encoding: 'utf-8' }).trim().slice(0, 8)
   const date = Math.round(Date.now() / (1000 * 60))
 
   // TODO: revert after release of v4.2.0
   // Get the date of the latest tag to filter out merged history commits
   const latestTagName = await getLatestTag()
-  const tagDate = execSync(`git log -1 --format=%ai ${latestTagName}`, { encoding: 'utf-8' })
+  const tagDate = execFileSync('git', ['log', '-1', '--format=%ai', latestTagName], { encoding: 'utf-8' })
   const sinceDate = tagDate.trim()
 
   const bumpType = await determineBumpType(sinceDate)

scripts/release.ts

@@ -1,6 +1,6 @@
 /* eslint-disable no-console */
 import process from 'node:process'
-import { execSync } from 'node:child_process'
+import { execFileSync, execSync } from 'node:child_process'
 import { copyFileSync, readFileSync, readdirSync, writeFileSync } from 'node:fs'
 import { resolve } from 'node:path'
 
@@ -14,6 +14,11 @@ function execCommand (command: string, cwd?: string): void {
   execSync(command, { stdio: 'inherit', cwd })
 }
 
+function execFile (file: string, args: string[], cwd?: string): void {
+  console.info(`🔧 Running: ${file} ${args.join(' ')}`)
+  execFileSync(file, args, { stdio: 'inherit', cwd })
+}
+
 function readPackageJson (dir: string): PackageJson {
   const pkgPath = resolve(dir, 'package.json')
   return JSON.parse(readFileSync(pkgPath, 'utf-8'))
@@ -153,7 +158,7 @@ async function main () {
 
       // Publish with primary tag with trusted publishing
       console.info(`🏷️ Publishing ${pkgDir} with tag: ${tag}`)
-      execCommand(`pnpm publish --access public --no-git-checks --tag ${tag}`)
+      execFile('pnpm', ['publish', '--access', 'public', '--no-git-checks', '--tag', tag])
 
       const pkg = readPackageJson('.')
       published.push({ name: pkg.name, version: pkg.version })

scripts/update-changelog.ts

@@ -1,5 +1,5 @@
 import process from 'node:process'
-import { execSync } from 'node:child_process'
+import { execFileSync } from 'node:child_process'
 import { $fetch } from 'ofetch'
 import { inc } from 'semver'
 import { generateMarkDown, getCurrentGitBranch, loadChangelogConfig } from 'changelogen'
@@ -18,7 +18,7 @@ async function main () {
   // TODO: revert after release of v4.2.0
   // Get the date of the latest tag to filter out merged history commits
   const latestTagName = await getLatestTag()
-  const tagDate = execSync(`git log -1 --format=%ai ${latestTagName}`, { encoding: 'utf-8' })
+  const tagDate = execFileSync('git', ['log', '-1', '--format=%ai', latestTagName], { encoding: 'utf-8' })
   const sinceDate = tagDate.trim()
 
   const commits = await getLatestCommits(sinceDate).then(commits => commits.filter(
@@ -30,19 +30,19 @@ async function main () {
   const changelog = await generateMarkDown(commits, config)
 
   // Create and push a branch with bumped versions if it has not already been created
-  const branchExists = execSync(`git ls-remote --heads origin v${newVersion}`).toString().trim().length > 0
+  const branchExists = execFileSync('git', ['ls-remote', '--heads', 'origin', `v${newVersion}`], { encoding: 'utf-8' }).trim().length > 0
   if (!branchExists) {
-    execSync('git config --global user.email "daniel@roe.dev"')
-    execSync('git config --global user.name "Daniel Roe"')
-    execSync(`git checkout -b v${newVersion}`)
+    execFileSync('git', ['config', '--global', 'user.email', 'daniel@roe.dev'])
+    execFileSync('git', ['config', '--global', 'user.name', 'Daniel Roe'])
+    execFileSync('git', ['checkout', '-b', `v${newVersion}`])
 
     for (const pkg of workspace.packages.filter(p => !p.data.private)) {
       workspace.setVersion(pkg.data.name, newVersion!)
     }
     await workspace.save()
 
-    execSync(`git commit -am v${newVersion}`)
-    execSync(`git push -u origin v${newVersion}`)
+    execFileSync('git', ['commit', '-am', `v${newVersion}`])
+    execFileSync('git', ['push', '-u', 'origin', `v${newVersion}`])
   }
 
   // Get the current PR for this release, if it exists