From f43e90d43afe7d61e40b0ce3d9710de532818cf7 Mon Sep 17 00:00:00 2001
From: Nguyen Tran <nguyentran4896@gmail.com>
Date: Sun, 3 May 2026 21:28:11 +0700
Subject: [PATCH] fix(render): drop shell:true from hyperframes spawn

shell:true is a command-injection foot-gun: if any user-derived string
ever flows into args, it would be interpreted by the shell. Args are
all internal today so behaviour is unchanged, but removing the option
now makes the codebase safer by default. On macOS/Linux npx resolves
correctly via PATH without a shell wrapper.
---
 src/render/hyperframes-runner.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/render/hyperframes-runner.ts b/src/render/hyperframes-runner.ts
index 3f2c6a6..ea53cc5 100644
--- a/src/render/hyperframes-runner.ts
+++ b/src/render/hyperframes-runner.ts
@@ -26,7 +26,6 @@ export async function renderWithHyperframes(args: RenderArgs): Promise<void> {
   await new Promise<void>((resolve, reject) => {
     const proc = spawn("npx", spawnArgs, {
       stdio: ["ignore", "inherit", "inherit"],
-      shell: true,
     });
 
     proc.on("close", (code) => {