From 2dc547f8b039dc77fe2cbdd0715d07b2f4c735d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Proen=C3=A7a?=
 <8202400+pproenca@users.noreply.github.com>
Date: Sat, 7 Mar 2026 21:54:14 +0000
Subject: [PATCH] fix: prevent command injection in update-versions git log

---
 scripts/update-versions.mjs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/scripts/update-versions.mjs b/scripts/update-versions.mjs
index e10c793b..ab308f62 100644
--- a/scripts/update-versions.mjs
+++ b/scripts/update-versions.mjs
@@ -11,7 +11,7 @@
  * Usage: node scripts/update-versions.mjs [--dry-run]
  */
 
-import { execSync } from "node:child_process";
+import { execFileSync } from "node:child_process";
 import { readFileSync, writeFileSync, existsSync, readdirSync } from "node:fs";
 import { join, basename } from "node:path";
 
@@ -35,8 +35,9 @@ function getSkillDirs() {
 function getGitLog(skillDir) {
   const rel = skillDir.replace(ROOT + "/", "");
   try {
-    const out = execSync(
-      `git log --oneline --reverse --format="%s" -- "${rel}"`,
+    const out = execFileSync(
+      "git",
+      ["log", "--oneline", "--reverse", "--format=%s", "--", rel],
       { cwd: ROOT, encoding: "utf-8" }
     );
     return out