From 53a5a97976f1c324866727711b0ae83bbad6c91a Mon Sep 17 00:00:00 2001
From: mhassan1 <marc.j.hassan@gmail.com>
Date: Tue, 16 Sep 2025 12:47:32 -0400
Subject: [PATCH 1/2] fix(utils): remove incorrect `async` from `emptyFolder`

---
 lib/utils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index fc73a5afb..b97f1df44 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -456,7 +456,7 @@ module.exports.isNotSet = function (obj) {
   return false;
 };
 
-module.exports.emptyFolder = async (directoryPath) => {
+module.exports.emptyFolder = (directoryPath) => {
   require('child_process').execSync(`rm -rf ${directoryPath}/*`);
 };
 

From f58de8da50d16c17b02d0d2d00f39242f8ee774f Mon Sep 17 00:00:00 2001
From: mhassan1 <marc.j.hassan@gmail.com>
Date: Tue, 16 Sep 2025 12:48:40 -0400
Subject: [PATCH 2/2] fix(utils): resolve command injection vulnerability in
 `emptyFolder`

---
 lib/utils.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index b97f1df44..a1c6433db 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -457,7 +457,11 @@ module.exports.isNotSet = function (obj) {
 };
 
 module.exports.emptyFolder = (directoryPath) => {
-  require('child_process').execSync(`rm -rf ${directoryPath}/*`);
+  // Do not throw on non-existent directory, since it may be created later
+  if (!fs.existsSync(directoryPath)) return;
+  for (const file of fs.readdirSync(directoryPath)) {
+    fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true });
+  }
 };
 
 module.exports.printObjectProperties = (obj) => {