Replace execSync() shell cmds w/ array args to avoid injection

kudo-sync-bot · kudo-sync-bot · commit ae85e041cac7 · 2025-09-07T17:28:15.000-07:00
Co-Authored-By: DeepSeek AI <230719390+deepseek-chat-ai@users.noreply.github.com> ↞ [auto-sync from https://github.com/adamlui/ai-web-extensions/tree/main/perplexity-omnibox]
diff --git a/utils/bump/extension-manifests.js b/utils/bump/extension-manifests.js
@@ -43,7 +43,9 @@
             console.log(`Checking last commit details for ${platformManifestPath}...`)
             try {
                 const latestCommitMsg = execSync(
-                    `git log -1 --format=%s -- "${platformManifestPath}"`, { encoding: 'utf8' }).trim()
+                    `git log -1 --format=%s -- "${path.relative(process.cwd(), path.dirname(manifestPath))}"`,
+                    { encoding: 'utf8' }
+                ).trim()
                 bump.log.hash(`${latestCommitMsg}\n`)
                 if (/bump.*(?:ersion|manifest)/i.test(latestCommitMsg)) {
                     console.log('No changes found. Skipping...\n') ; continue }
@@ -76,7 +78,7 @@
         // git add/commit/push
         try {
             execSync('git add ./**/manifest.json')
-            execSync(`git commit -n -m "${commitMsg}"`)
+            execSync('git', ['commit', '-n', '-m', commitMsg], { stdio: 'inherit', encoding: 'utf-8' })
             if (!noPush) {
                 bump.log.working('\nPulling latest changes from remote to sync local repository...\n')
                 execSync('git pull')
