fix(create-docusaurus): fix CLI and remove shelljs escapeShellArg util (#10958)

packages/create-docusaurus/src/index.ts

@@ -13,7 +13,10 @@ import {logger} from '@docusaurus/logger';
 import execa from 'execa';
 import prompts, {type Choice} from 'prompts';
 import supportsColor from 'supports-color';
-import {escapeShellArg, askPreferredLanguage} from '@docusaurus/utils';
+
+// TODO remove dependency on large @docusaurus/utils
+//  would be better to have a new smaller @docusaurus/utils-cli package
+import {askPreferredLanguage} from '@docusaurus/utils';
 
 type LanguagesOptions = {
   javascript?: boolean;
@@ -530,10 +533,7 @@ export default async function init(
 
   if (source.type === 'git') {
     const gitCommand = await getGitCommand(source.strategy);
-    const gitCloneCommand = `${gitCommand} ${escapeShellArg(
+    if ((await execa(gitCommand, [source.url, dest])).exitCode !== 0) {
-      source.url,
-    )} ${escapeShellArg(dest)}`;
-    if (execa.command(gitCloneCommand).exitCode !== 0) {
       logger.error`Cloning Git template failed!`;
       process.exit(1);
     }
@@ -598,8 +598,7 @@ export default async function init(
           {
             env: {
               ...process.env,
-              // Force coloring the output, since the command is invoked by
+              // Force coloring the output
-              // shelljs, which is not an interactive shell
               ...(supportsColor.stdout ? {FORCE_COLOR: '1'} : {}),
             },
           },

packages/docusaurus-utils/src/__tests__/shellUtils.test.ts

@@ -1,19 +0,0 @@
-/**
- * Copyright (c) Facebook, Inc. and its affiliates.
- *
- * This source code is licensed under the MIT license found in the
- * LICENSE file in the root directory of this source tree.
- */
-
-import {escapeShellArg} from '../shellUtils';
-
-describe('shellUtils', () => {
-  it('escapeShellArg', () => {
-    expect(escapeShellArg('hello')).toBe("'hello'");
-    expect(escapeShellArg('*')).toBe("'*'");
-    expect(escapeShellArg('hello world')).toBe("'hello world'");
-    expect(escapeShellArg("'hello'")).toBe("\\''hello'\\'");
-    expect(escapeShellArg('$(pwd)')).toBe("'$(pwd)'");
-    expect(escapeShellArg('hello$(pwd)')).toBe("'hello$(pwd)'");
-  });
-});

packages/docusaurus-utils/src/index.ts

@@ -107,7 +107,6 @@ export {
   getWebpackLoaderCompilerName,
   type WebpackCompilerName,
 } from './webpackUtils';
-export {escapeShellArg} from './shellUtils';
 export {loadFreshModule} from './moduleUtils';
 export {
   getDataFilePath,

packages/docusaurus-utils/src/shellUtils.ts

@@ -1,18 +0,0 @@
-/**
- * Copyright (c) Facebook, Inc. and its affiliates.
- *
- * This source code is licensed under the MIT license found in the
- * LICENSE file in the root directory of this source tree.
- */
-
-// TODO move from shelljs to execa later?
-// Execa is well maintained and widely used
-// Even shelljs recommends execa for security / escaping:
-// https://github.com/shelljs/shelljs/wiki/Security-guidelines
-
-// Inspired by https://github.com/xxorax/node-shell-escape/blob/master/shell-escape.js
-export function escapeShellArg(s: string): string {
-  let res = `'${s.replace(/'/g, "'\\''")}'`;
-  res = res.replace(/^(?:'')+/g, '').replace(/\\'''/g, "\\'");
-  return res;
-}