fix(ng-dev): address alan-agius4 review — remove redundant shell default, audit call sites

- Remove `shell: options.shell ?? false` from spawn() and spawnSync() — redundant
  since false is already Node.js default when shell option is omitted entirely.
- Remove Log.warn() from exec() per reviewer suggestion; Node.js itself issues
  the appropriate deprecation warning when exec() is used with shell expansion.
- Audited all ChildProcess.spawn/spawnSync/exec call sites across ng-dev/:
  - external-commands.ts:206  '. ~/.nvm/nvm.sh && nvm install'
    → Added explicit shell: true (requires shell built-in dot command and &&)
  - repo-directory.ts:13  spawnSync('git', ['rev-parse --show-toplevel'])
    → Fixed incorrectly merged args to ['rev-parse', '--show-toplevel']; with
    shell: false (now the default), the single-string form would fail because
    git receives 'rev-parse --show-toplevel' as one literal argument.
  - All other spawn/spawnSync calls use plain binary + args arrays and are safe
    with the secure shell: false default.
- SpawnOptions.shell remains exposed for callers that genuinely require it.

Author: herdiyanitdev

ng-dev/release/publish/external-commands.ts

@@ -202,10 +202,12 @@ export abstract class ExternalCommands {
     }
 
     try {
-      // We must source nvm.sh so the shell recognizes the 'nvm' command since nvm is not a binary but a shell script.
+      // We must source nvm.sh so the shell recognizes the 'nvm' command since nvm is not a binary
+      // but a shell function. The dot (.) built-in and && operator require shell: true here.
       await ChildProcess.spawn('. ~/.nvm/nvm.sh && nvm install', [], {
         cwd: projectDir,
         mode: 'on-error',
+        shell: true,
       });
 
       if (!quiet) {

ng-dev/utils/child-process.ts

@@ -99,7 +99,7 @@ export abstract class ChildProcess {
       signal,
       stdout,
       stderr,
-    } = _spawnSync(command, args, {...options, env, encoding: 'utf8', shell: options.shell ?? false, stdio: 'pipe'});
+    } = _spawnSync(command, args, {...options, env, encoding: 'utf8', stdio: 'pipe'});
 
     /** The status of the spawn result. */
     const status = statusFromExitCodeAndSignal(exitCode, signal);
@@ -130,7 +130,7 @@ export abstract class ChildProcess {
     return processAsyncCmd(
       commandText,
       options,
-      _spawn(command, args, {...options, env, shell: options.shell ?? false, stdio: 'pipe'}),
+      _spawn(command, args, {...options, env, stdio: 'pipe'}),
     );
   }
 
@@ -143,9 +143,6 @@ export abstract class ChildProcess {
    *   rejects on command failure.
    */
   static exec(command: string, options: ExecOptions = {}): Promise<SpawnResult> {
-    Log.warn(
-      'ChildProcess.exec is susceptible to command injection. Prefer ChildProcess.spawn with an explicit args array.',
-    );
     const env = getEnvironmentForNonInteractiveCommand(options.env);
     return processAsyncCmd(command, options, _exec(command, {...options, env}));
   }

ng-dev/utils/repo-directory.ts

@@ -10,7 +10,7 @@ import {ChildProcess} from './child-process.js';
 
 /** Determines the repository base directory from the current working directory. */
 export function determineRepoBaseDirFromCwd() {
-  const {stdout, stderr, status} = ChildProcess.spawnSync('git', ['rev-parse --show-toplevel']);
+  const {stdout, stderr, status} = ChildProcess.spawnSync('git', ['rev-parse', '--show-toplevel']);
   if (status !== 0) {
     throw Error(
       `Unable to find the path to the base directory of the repository.\n` +