fix(@nestjs/cli): disable shell execution on unix to prevent command injection

[seoyeonjin]

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/nestjs/nest/blob/master/CONTRIBUTING.md
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

[x] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[ ] CI related changes
[ ] Other... Please describe:

What is the current behavior?

The CLI currently enables shell execution (shell: true) on all platforms when spawning child processes. This creates a command injection vulnerability on Unix-like systems (macOS/Linux) where shell metacharacters can be exploited to execute malicious commands.

Commands containing $(), ${}, or other shell expansions can potentially execute arbitrary code on the system.

Issue Number: #3064

What is the new behavior?

Shell execution is now disabled on Unix-like systems (macOS/Linux) while remaining enabled on Windows for compatibility. This prevents command injection attacks on Unix systems while maintaining cross-platform functionality.

Changes:

• Unix systems: shell: false - prevents shell metacharacter exploitation
• Windows: shell: true - maintains compatibility
• Commands are safely passed as separate arguments to prevent injection

Does this PR introduce a breaking change?

[ ] Yes
[x] No

Other information