security vulnerability?

[MrEgggga]

almost definitely the wrong place but i got a high security vulnerability when installing this package GHSA-926x-m6m5-3mmp (seems to not show up in the Security tab, i don't know how these things work)

[BigBlueHat]

Looks like the branch variable on this line just needs validating to be a "clean" branch name to avoid someone using that to inject other command line commands:
https://github.com/L33T-KR3W/push-dir/blob/master/index.js#L139

The regex from this StackOverflow post looks helpful/promising:

^(?!@$|build-|/|.*([/.]\.|//|@\{|\\))[^\000-\037\177 ~^:?*[]+/[^\000-\037\177 ~^:?*[]+(?<!\.lock|[/.])$