Fix scanning issue

packages/safe-chain/src/utils/safeSpawn.js

@@ -107,8 +107,30 @@ export async function safeSpawn(command, args, options = {}) {
  * TL;DR: add support for shell::false
  */
 export async function safeSpawnPy(command, args, options = {}) {
+  // The command is always one of our supported package managers.
+  // It should always be alphanumeric or _ or -
+  // Reject any command names with suspicious characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(command)) {
+    throw new Error(`Invalid command name: ${command}`);
+  }
+
   return new Promise((resolve) => {
-    const child = spawn(command, args, { ...options, shell: false });
+    // On Unix/macOS resolve to full path to avoid PATH ambiguity; keep shell disabled everywhere
+    let cmdToRun = command;
+    if (os.platform() !== "win32") {
+      try {
+        cmdToRun = resolveCommandPath(command);
+      } catch (e) {
+        if (options.stdio === "inherit") {
+          process.stderr.write(
+            `Error: Command '${command}' not found. Please ensure it is installed and available in your PATH.\n`
+          );
+        }
+        return resolve({ status: 1, stdout: "", stderr: e.message || String(e) });
+      }
+    }
+
+    const child = spawn(cmdToRun, args, { ...options, shell: false });
 
     let stdout = "";
     let stderr = "";

packages/safe-chain/src/utils/safeSpawn.spec.js

@@ -274,7 +274,8 @@ describe("safeSpawnPy", () => {
 
     // Verify spawn signature
   assert.strictEqual(spawnCalls.length, 1);
-    assert.strictEqual(spawnCalls[0].command, "pip3");
+  // Allow either bare command or resolved full path
+  assert.match(spawnCalls[0].command, /(^|\/)pip3$/);
     assert.deepStrictEqual(spawnCalls[0].args, ["install", "Jinja2>=3.1,<3.2"]);
     assert.strictEqual(spawnCalls[0].options.shell, false);
     assert.strictEqual(spawnCalls[0].options.stdio, "inherit");