fix(lifecycle): replace shell-quote with shlex

[yoursunny]

fixes #9381

[Copilot]

Pull Request Overview

This PR replaces the previous use of shell-quote with shlex for quoting command arguments, aligning dependency declarations and tests with the new library.

• Swapped imports and dependency entries from shell-quote to shlex
• Updated test expectations to match shlex.join behavior (removal of = escaping)
• Removed obsolete type packages and updated change log

Reviewed Changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
worker/src/index.ts	Replaced shell-quote import with shlex.join
exec/lifecycle/src/runLifecycleHook.ts	Same import replacement for lifecycle hook quoting
worker/package.json	Swapped dependency from shell-quote to shlex
exec/lifecycle/package.json	Swapped dependency from shell-quote to shlex
pnpm/test/run.ts	Adjusted regex for new quoting semantics
exec/lifecycle/test/index.ts	Updated expected output to match shlex.join
pnpm-workspace.yaml	Updated catalog entries to use shlex
cspell.json	Added “shlex” to the custom dictionary
.changeset/tired-points-brake.md	Documented the migration to shlex

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

Comments suppressed due to low confidence (3)

worker/src/index.ts:11

• [nitpick] Aliasing shlex.join as shellQuote can confuse readers. Rename the import alias to something like shlexJoin or joinArgs to better reflect its origin and purpose.

import { join as shellQuote } from 'shlex'

exec/lifecycle/src/runLifecycleHook.ts:9

• [nitpick] Update the surrounding comment or add a note to clarify that shlex.join is now used instead of shell-quote for argument quoting to keep docs accurate.

import { join as shellQuote } from 'shlex'

worker/package.json:46

• The new dependency shlex does not include TypeScript declarations. Consider adding @types/shlex or bundling type definitions to prevent compilation errors.

    "shlex": "catalog:"

[fz6m]

IMO shlex has few stars and is not popular. adding more third-party libraries to pnpm brings big supply chain risks.

pnpm adds onlyBuiltDependencies for safety, but still includes more third-party libraries.

pnpm should care more about dependency security.

[yoursunny]

IMO shlex has few stars and is not popular. adding more third-party libraries to pnpm brings big supply chain risks.

It solves the bug.
I've been using shlex for years and never got hacked.

[zkochan]

The version of shlex is locked in the lockfile. If it will have a new version, we can review it before upgrading. We also have pnpm audit as part of CI. Also, it is untrue that shlex is not popular. It is a niche library, the number of stars, number of downloads and dependents is high for such a library.