fix(create-locales): shell command built from environment values

[odaysec]

addons-frontend/bin/create-locales

Line 15 in 1cd93c9

const shell = require('shelljs');

addons-frontend/bin/create-locales

Lines 37 to 38 in 1cd93c9

	shell.exec(`msginit --no-translator --input=${templateDir}/amo.pot
	--output-file=${outputFile} -l ${locale}`.replace('\n', ' '));

Fix the issue, we will replace the use of shell.exec with a safer alternative that avoids shell interpretation of dynamic values. Specifically, we will use child_process.execFileSync, which allows us to pass arguments to the command as an array, ensuring that special characters in the arguments are not interpreted by the shell.

1. Replace the shell.exec call on line 37 with a call to child_process.execFileSync.
2. Import the child_process module at the top of the file if it is not already imported.
3. Construct the command and its arguments separately, passing the arguments as an array to execFileSync.

---

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.29%. Comparing base (1cd93c9) to head (6f78a7f).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #13607   +/-   ##
=======================================
  Coverage   98.29%   98.29%           
=======================================
  Files         268      268           
  Lines       10644    10644           
  Branches     3263     3263           
=======================================
  Hits        10462    10462           
  Misses        169      169           
  Partials       13       13           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.