Potential fix for code scanning alert no. 25: Shell command built from environment values

lucas-zimerman · github-advanced-security[bot] · web-flow · commit 57f7f3b8af7d · 2025-10-02T16:29:49.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/scripts/check-replay-stubs.js b/scripts/check-replay-stubs.js
@@ -1,5 +1,5 @@
 import { danger, warn } from "danger";
-import { execSync } from "child_process";
+import { execSync, execFileSync } from "child_process";
 import fs from "fs";
 import path from "path";
 
@@ -23,7 +23,7 @@ const oldSrc = path.join(process.cwd(), "replay-stubs-old-src");
 
 // Tool for decompiling JARs.
 execSync(`curl -L -o ${jsDist}/jd-cli.zip https://github.com/intoolswetrust/jd-cli/releases/download/jd-cli-1.2.0/jd-cli-1.2.0-dist.zip`);
-execSync(`unzip -o ${jsDist}/jd-cli.zip -d ${jsDist}`);
+execFileSync("unzip", ["-o", `${jsDist}/jd-cli.zip`, "-d", jsDist]);
 
 const newJarPath = path.join(jsDist, "replay-stubs.jar");
 fs.copyFileSync("packages/core/android/libs/replay-stubs.jar", newJarPath);
