4aae6bae1c
b7473371b3/packages/twenty-server/src/engine/core-modules/serverless/commands/add-packages.command.ts (L6-L6)b7473371b3/packages/twenty-server/src/engine/core-modules/serverless/commands/add-packages.command.ts (L10-L10)b7473371b3/packages/twenty-server/src/engine/core-modules/serverless/commands/add-packages.command.ts (L79-L79)Fix the issue should avoid dynamically constructing the shell command. Instead, we can use `execFile` or `execFileSync`, which allows us to pass arguments as an array, avoiding shell interpretation of special characters. This ensures that the `folderPath` is treated as a literal argument and not subject to command injection. Specifically: 1. Replace the use of `execPromise` with `execFilePromise` (a promisified version of `execFile`). 2. Modify the `addToGit` method to pass the `folderPath` as an argument to `git add` instead of interpolating it into the command string. ---