From 53a5a425f7e9bc66785975ae626ab3c70288a5d0 Mon Sep 17 00:00:00 2001
From: Donghao Ren <donghao.ren@gmail.com>
Date: Fri, 15 Sep 2017 07:44:28 -0700
Subject: [PATCH] Use child_process.execFile to prevent unescaped stuff (#2206)

Fix #2173
---
 app/plugins/install.js | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/app/plugins/install.js b/app/plugins/install.js
index da322fbb..a4824a52 100644
--- a/app/plugins/install.js
+++ b/app/plugins/install.js
@@ -15,12 +15,11 @@ module.exports = {
         const cmd = [process.execPath, yarn].concat(args).join(' ');
         console.log('Launching yarn:', cmd);
 
-        cp.exec(cmd, {
+        cp.execFile(process.execPath, [yarn].concat(args), {
           cwd: plugs.base,
           env,
-          shell: true,
           timeout: ms('5m'),
-          stdio: ['ignore', 'ignore', 'inherit']
+          maxBuffer: 1024 * 1024
         }, err => {
           if (err) {
             cb(err);