From 0029a7e1c1fa8f9a16ce3ef3d913c46cea360c63 Mon Sep 17 00:00:00 2001
From: Sander Declerck <sander@sdsoftware.be>
Date: Mon, 27 Oct 2025 10:49:26 +0100
Subject: [PATCH] Add extra comments for regex clarification

---
 packages/safe-chain/src/utils/safeSpawn.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/safe-chain/src/utils/safeSpawn.js b/packages/safe-chain/src/utils/safeSpawn.js
index 8642b07..c398ac2 100644
--- a/packages/safe-chain/src/utils/safeSpawn.js
+++ b/packages/safe-chain/src/utils/safeSpawn.js
@@ -52,7 +52,9 @@ function resolveCommandPath(command) {
 }
 
 export async function safeSpawn(command, args, options = {}) {
-  // command should always be alphanumeric or _ or - to avoid injection
+  // The command is always one of our supported package managers.
+  // It should always be alphanumeric or _ or -
+  // Reject any command names with suspicious characters
   if (!/^[a-zA-Z0-9_-]+$/.test(command)) {
     throw new Error(`Invalid command name: ${command}`);
   }