fix: quote spawn args

.snyk

@@ -1,4 +1,10 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.7.1
-ignore: {}
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:08:41.608Z
+        created: 2022-11-29T08:08:41.611Z
 patch: {}

lib/docker.ts

@@ -55,12 +55,12 @@ class Docker {
     targetImage: string,
     options?: DockerOptions,
   ): Promise<subProcess.CmdOutput> {
-    const opts: string[] = ["pull", targetImage];
+    const args: string[] = ["pull", targetImage];
     if (options?.platform) {
-      opts.push(`--platform=${options.platform}`);
+      args.push(`--platform=${options.platform}`);
     }
 
-    return subProcess.execute("docker", opts);
+    return subProcess.execute("docker", args);
   }
 
   public async save(targetImage: string, destination: string) {

lib/sub-process.ts

@@ -1,4 +1,5 @@
 import * as childProcess from "child_process";
+import { quoteAll } from "shescape";
 
 export { execute, CmdOutput };
 interface CmdOutput {
@@ -8,13 +9,14 @@ interface CmdOutput {
 
 function execute(
   command: string,
-  args?: string[],
+  args: string[],
   options?,
 ): Promise<CmdOutput> {
   const spawnOptions: any = { shell: true };
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   return new Promise((resolve, reject) => {
     let stdout = "";

package.json

@@ -44,6 +44,7 @@
     "gunzip-maybe": "^1.4.2",
     "mkdirp": "^1.0.4",
     "semver": "^7.3.4",
+    "shescape": "1.6.1",
     "snyk-nodejs-lockfile-parser": "1.40.0",
     "snyk-poetry-lockfile-parser": "^1.1.7",
     "tar-stream": "^2.1.0",