From 7b1e063b7af3e41dbfbcfb68b0ba74ad6bc88159 Mon Sep 17 00:00:00 2001
From: SFARPak <89567338+SFARPak@users.noreply.github.com>
Date: Mon, 15 Sep 2025 00:09:56 +0500
Subject: [PATCH] Potential fix for code scanning alert no. 16: Shell command
 built from environment values

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 packages/build/src/esbuild.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/build/src/esbuild.ts b/packages/build/src/esbuild.ts
index 75b81d518..0cb09ac7f 100644
--- a/packages/build/src/esbuild.ts
+++ b/packages/build/src/esbuild.ts
@@ -1,6 +1,6 @@
 import * as fs from "fs"
 import * as path from "path"
-import { execSync } from "child_process"
+import { execSync, execFileSync } from "child_process"
 
 import { ViewsContainer, Views, Menus, Configuration, contributesSchema } from "./types.js"
 
@@ -47,7 +47,7 @@ function rmDir(dirPath: string, maxRetries: number = 5): void {
 					// Try to clear readonly flags on Windows.
 					if (process.platform === "win32") {
 						try {
-							execSync(`attrib -R "${dirPath}\\*.*" /S /D`, { stdio: "ignore" })
+							execFileSync("attrib", ["-R", `${dirPath}\\*.*`, "/S", "/D"], { stdio: "ignore" })
 						} catch {
 							// Ignore attrib errors.
 						}