Add security comments clarifying safe shell command usage

Added comments explaining that null device paths are hardcoded constants
and safe to use in shell commands, addressing static analysis concerns.

Co-authored-by: swissspidy <[email protected]>

Author: Copilot

src/WP_CLI/PackageValidator.php

@@ -76,6 +76,7 @@ private static function is_unzip_available() {
 		if ( null === $is_available ) {
 			// Check if unzip is in PATH by trying to get its version.
 			// Suppress output to avoid cluttering the console.
+			// Note: Redirection to null device is safe as the device path is a hardcoded constant.
 			$null_device = '\\' === DIRECTORY_SEPARATOR ? 'NUL' : '/dev/null';
 			$result      = WP_CLI::launch(
 				'unzip -v > ' . escapeshellarg( $null_device ) . ' 2>&1',
@@ -96,6 +97,7 @@ private static function is_unzip_available() {
 	 */
 	private static function validate_with_unzip( $file_path ) {
 		// Suppress output - use platform-appropriate null device.
+		// Note: Null device path is a hardcoded constant, safe to use in shell commands.
 		$null_device = '\\' === DIRECTORY_SEPARATOR ? 'NUL' : '/dev/null';
 		$command     = 'unzip -t ' . escapeshellarg( $file_path ) . ' > ' . escapeshellarg( $null_device ) . ' 2>&1';