#fix - Address command injection vulnerability in MagentoStandard Builder

Copilot · dermatz · Copilot · commit a723675b96f4 · 2026-01-12T11:22:20.000Z
Co-authored-by: dermatz &lt;6103201+dermatz@users.noreply.github.com&gt;
diff --git a/src/Service/ThemeBuilder/MagentoStandard/Builder.php b/src/Service/ThemeBuilder/MagentoStandard/Builder.php
@@ -49,15 +49,17 @@ public function build(string $themePath, SymfonyStyle $io, OutputInterface $outp
         try {
             if ($isVerbose) {
                 $io->text('Running grunt clean...');
+                $this->shell->execute('node_modules/.bin/grunt clean');
+            } else {
+                $this->shell->execute('node_modules/.bin/grunt clean --quiet');
             }
-            // Use --quiet only in non-verbose mode to suppress routine output
-            $quietFlag = $isVerbose ? '' : '--quiet';
-            $this->shell->execute("node_modules/.bin/grunt clean $quietFlag");
 
             if ($isVerbose) {
                 $io->text('Running grunt less...');
+                $this->shell->execute('node_modules/.bin/grunt less');
+            } else {
+                $this->shell->execute('node_modules/.bin/grunt less --quiet');
             }
-            $this->shell->execute("node_modules/.bin/grunt less $quietFlag");
 
             if ($isVerbose) {
                 $io->success('Grunt tasks completed successfully.');
