refactor(create): Use execFile rather than exec

Recommended by the code scan as a better way that is not as vulnerable to injection
vendure-ecommerce · Oct 14, 2024 · ff23486 · ff23486
1 parent 85d0a05
commit ff23486
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/packages/create/src/helpers.ts b/packages/create/src/helpers.ts
@@ -1,7 +1,7 @@
 import { cancel, isCancel, spinner } from '@clack/prompts';
 import spawn from 'cross-spawn';
 import fs from 'fs-extra';
-import { exec, execSync, execFileSync } from 'node:child_process';
+import { execFile, execSync, execFileSync } from 'node:child_process';
 import { platform } from 'node:os';
 import { promisify } from 'node:util';
 import path from 'path';
@@ -408,9 +408,14 @@ export async function startPostgresDatabase(root: string): Promise<boolean> {
     const postgresContainerSpinner = spinner();
     postgresContainerSpinner.start('Starting PostgreSQL database');
     try {
-        const result = await promisify(exec)(
-            `docker compose -f ${path.join(root, 'docker-compose.yml')} up -d postgres_db`,
-        );
+        const result = await promisify(execFile)(`docker`, [
+            `compose`,
+            `-f`,
+            path.join(root, 'docker-compose.yml'),
+            `up`,
+            `-d`,
+            `postgres_db`,
+        ]);
         containerName = result.stderr.match(/Container\s+(.+-postgres_db[^ ]*)/)?.[1];
         if (!containerName) {
             // guess the container name based on the directory name