Shopify CLI-Kit Patches Command Injection Vulnerability in tree-kill Utility on Windows

A security patch for Shopify's CLI kit addresses a command injection vulnerability in the `tree-kill` utility targeting Windows environments. The flaw originated from the use of `exec` for process termination, which allowed unsanitized PID input to potentially reach the system shell. The fix replaces `exec` with `spawn`, isolating child process management from shell execution and eliminating the primary injection vector.

The remediation introduces three hardening measures. Beyond replacing `exec` with `spawn`, the patch adds a strict regex validation layer for PID input, rejecting values that do not conform to expected numeric formats. Additionally, an `.on('error', ...)` handler attached to `spawn` catches and manages process failures without triggering crashes in the parent application. Error handling previously risked unhandled exceptions when no callback was provided, a gap now closed with restored `outputDebug` logging.

For teams integrating `@shopify/cli-kit` into automated or CI/CD workflows, this patch carries operational relevance. The vulnerability existed specifically on Windows, where shell interpretation of command arguments differs from Unix-like systems. Organizations should audit their dependencies for affected versions and ensure their build pipelines reference the patched release. The test suite (`tree-kill.test.ts`) validates the fix and can be executed via the provided pnpm command to confirm remediation in local environments.