From a20488960cbd2c98455386108253094897ebfc1c Mon Sep 17 00:00:00 2001
From: Evan Yamanishi <yamanishi1@gmail.com>
Date: Mon, 21 Jun 2021 16:02:24 -0400
Subject: [PATCH] fix: use spawn for more secure input

resolves #58
---
 src/index.ts | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index 06ebcd3..fe98700 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,17 +1,30 @@
 import { valid, compare } from 'semver';
-import { exec } from 'child_process';
+import { spawn } from 'child_process';
 
-const lsRemoteTags = (repo: string): Promise<string> => new Promise(
-	(resolve, reject) => {
-		exec(`git ls-remote --tags ${repo}`, (_, stdout, stderr) => {
-			if (stderr) reject(new Error(stderr));
-			resolve(stdout.toString().trim());
-		});
-	},
-);
+const lsRemoteTags = (repoPath: string): Promise<string> => new Promise((resolve, reject) => {
+	let stderr = '';
+	let stdout = '';
+
+	const child = spawn('git', ['ls-remote', '--tags', repoPath]);
+
+	child.stdout.on('data', (data) => {
+		stdout += data;
+	});
+
+	child.stderr.on('data', (data) => {
+		stderr += data;
+	});
+
+	child.on('error', reject);
+
+	child.on('close', (exitCode) => {
+		if (exitCode !== 0 || stderr.length) reject(new Error(stderr));
+		resolve(stdout.toString().trim());
+	});
+});
 
 const parseTags = (tags: string): Map<string, string> => {
-	const tagMap = new Map();
+	const tagMap = new Map<string, string>();
 	tags.split('\n')
 		.forEach((str) => {
 			const ref = str.split(/\t/);