fix: increase shlex usage

Author: rarkins

lib/modules/manager/bundler/artifacts.ts

@@ -143,7 +143,7 @@ export async function updateArtifacts(
         if (hostRule.resolvedHost?.includes('-')) {
           // TODO: fix me, hostrules can missing all auth
           const creds = getAuthenticationHeaderValue(hostRule);
-          authCommands.push(`${hostRule.resolvedHost} ${creds}`);
+          authCommands.push(`${quote(hostRule.resolvedHost)} ${quote(creds)}`);
         }
         return authCommands;
       },

lib/modules/manager/cargo/artifacts.ts

@@ -53,8 +53,8 @@ async function cargoUpdatePrecise(
     cmds.push(
       `cargo update --config net.git-fetch-with-cli=true` +
         ` --manifest-path ${quote(manifestPath)}` +
-        ` --package ${dep.packageName!}@${dep.lockedVersion}` +
-        ` --precise ${dep.newVersion}`,
+        ` --package ${quote(`${dep.packageName}@${dep.lockedVersion}`)}` +
+        ` --precise ${quote(dep.newVersion!)}`,
     );
   }
 

lib/modules/manager/composer/artifacts.ts

@@ -181,7 +181,9 @@ export async function updateArtifacts({
           'update ' +
           updatedDeps
             .map((dep) =>
-              dep.newVersion ? `${dep.depName}:${dep.newVersion}` : dep.depName,
+              dep.newVersion
+                ? quote(`${dep.depName}:${dep.newVersion}`)
+                : quote(dep.depName!),
             )
             .filter(is.string)
             .map((dep) => quote(dep))

lib/modules/manager/hermit/artifacts.ts

@@ -1,3 +1,4 @@
+import { quote } from 'shlex';
 import upath from 'upath';
 import { logger } from '../../../logger';
 import { exec } from '../../../util/exec';
@@ -210,7 +211,7 @@ async function updateHermitPackage(update: UpdateArtifact): Promise<void> {
   };
 
   const packagesToInstall = toInstall.join(' ');
-  const fromPackages = from.join(' ');
+  const fromPackages = from.map(quote).join(' ');
 
   const execCommands = `./hermit install ${packagesToInstall}`;
   logger.debug(

lib/modules/manager/pep621/processors/pdm.ts

@@ -1,4 +1,5 @@
 import is from '@sindresorhus/is';
+import { quote } from 'shlex';
 import { TEMPORARY_ERROR } from '../../../../constants/error-messages';
 import { logger } from '../../../../logger';
 import { exec } from '../../../../util/exec';
@@ -139,7 +140,7 @@ function generateCMDs(updatedDeps: Upgrade[]): string[] {
         const [group, name] = dep.depName!.split('/');
         addPackageToCMDRecord(
           packagesByCMD,
-          `${pdmUpdateCMD} -G ${group}`,
+          `${pdmUpdateCMD} -G ${quote(group)}`,
           name,
         );
         break;
@@ -148,7 +149,7 @@ function generateCMDs(updatedDeps: Upgrade[]): string[] {
         const [group, name] = dep.depName!.split('/');
         addPackageToCMDRecord(
           packagesByCMD,
-          `${pdmUpdateCMD} -dG ${group}`,
+          `${pdmUpdateCMD} -dG ${quote(group)}`,
           name,
         );
         break;
@@ -160,7 +161,7 @@ function generateCMDs(updatedDeps: Upgrade[]): string[] {
   }
 
   for (const commandPrefix in packagesByCMD) {
-    const packageList = packagesByCMD[commandPrefix].join(' ');
+    const packageList = packagesByCMD[commandPrefix].map(quote).join(' ');
     const cmd = `${commandPrefix} ${packageList}`;
     cmds.push(cmd);
   }