diff --git a/lib/manager/cargo/artifacts.ts b/lib/manager/cargo/artifacts.ts
index 6a6643166b2100b0ac01ea85f7abd383da699c38..c94ff14e40329a0b55d69f072d22bc22fc1137e9 100644
--- a/lib/manager/cargo/artifacts.ts
+++ b/lib/manager/cargo/artifacts.ts
@@ -1,3 +1,4 @@
+import { quote } from 'shlex';
import { logger } from '../../logger';
import { ExecOptions, exec } from '../../util/exec';
import {
@@ -31,7 +32,9 @@ export async function updateArtifacts({
const dep = updatedDeps[i];
// Update dependency `${dep}` in Cargo.lock file corresponding to Cargo.toml file located
// at ${localPackageFileName} path
- let cmd = `cargo update --manifest-path ${packageFileName} --package ${dep}`;
+ let cmd = `cargo update --manifest-path ${quote(
+ packageFileName
+ )} --package ${quote(dep)}`;
const execOptions: ExecOptions = {
docker: {
image: 'renovate/rust',
diff --git a/lib/manager/cocoapods/artifacts.ts b/lib/manager/cocoapods/artifacts.ts
index 5e4d804b8a7e5ea4d61be80808ad9272a5875086..78879f7da9d3890c0b13f2365f49b9ab4e643a15 100644
--- a/lib/manager/cocoapods/artifacts.ts
+++ b/lib/manager/cocoapods/artifacts.ts
@@ -1,3 +1,4 @@
+import { quote } from 'shlex';
import { dirname, join } from 'upath';
import { logger } from '../../logger';
import { platform } from '../../platform';
@@ -18,7 +19,7 @@ function getPluginCommands(content: string): string[] {
const match = pluginRegex.exec(line);
if (match) {
const { plugin } = match.groups;
- result.add(`gem install ${plugin}`);
+ result.add(`gem install ${quote(plugin)}`);
}
});
return [...result];
diff --git a/lib/manager/composer/artifacts.ts b/lib/manager/composer/artifacts.ts
index 6ec2b5be536f1a9069ea2657402933f908a7a7b9..097dccfc08eab0d8772ddc1170b81a3f15e77caa 100644
--- a/lib/manager/composer/artifacts.ts
+++ b/lib/manager/composer/artifacts.ts
@@ -1,6 +1,7 @@
import URL from 'url';
import is from '@sindresorhus/is';
import fs from 'fs-extra';
+import { quote } from 'shlex';
import upath from 'upath';
import { SYSTEM_INSUFFICIENT_DISK_SPACE } from '../../constants/error-messages';
import {
@@ -115,7 +116,8 @@ export async function updateArtifacts({
args = 'install';
} else {
args =
- ('update ' + updatedDeps.join(' ')).trim() + ' --with-dependencies';
+ ('update ' + updatedDeps.map(quote).join(' ')).trim() +
+ ' --with-dependencies';
}
if (config.composerIgnorePlatformReqs) {
args += ' --ignore-platform-reqs';
diff --git a/lib/manager/mix/artifacts.ts b/lib/manager/mix/artifacts.ts
index e6a3e1f39d7fe6642b31aba7f79d81799a5231b6..610d471f09ffc2160a31ad04e9be1ce9efc7e767 100644
--- a/lib/manager/mix/artifacts.ts
+++ b/lib/manager/mix/artifacts.ts
@@ -1,4 +1,5 @@
import fs from 'fs-extra';
+import { quote } from 'shlex';
import upath from 'upath';
import { logger } from '../../logger';
import { platform } from '../../platform';
@@ -61,7 +62,7 @@ export async function updateArtifacts({
/* istanbul ignore next */
try {
- const command = [...cmdParts, ...updatedDeps].join(' ');
+ const command = [...cmdParts, ...updatedDeps.map(quote)].join(' ');
await exec(command, { cwd });
} catch (err) {
logger.warn(
diff --git a/lib/manager/npm/post-update/lerna.ts b/lib/manager/npm/post-update/lerna.ts
index 799cb482a4697617abaf78ab3be89c219170e178..ef5cd9bd4a3d230b2c92a341f92fb5bf9de9e169 100644
--- a/lib/manager/npm/post-update/lerna.ts
+++ b/lib/manager/npm/post-update/lerna.ts
@@ -1,3 +1,4 @@
+import { quote } from 'shlex';
import { logger } from '../../../logger';
import { platform } from '../../../platform';
import { exec } from '../../../util/exec';
@@ -54,7 +55,7 @@ export async function generateLockFiles(
// volumes.push([homeNpmrc, `/home/ubuntu/.npmrc`]);
// }
cmd.push(`${lernaClient} install ${params}`);
- cmd.push(`npx lerna@${lernaVersion} bootstrap --no-ci -- ${params}`);
+ cmd.push(`npx lerna@${quote(lernaVersion)} bootstrap --no-ci -- ${params}`);
await exec(cmd, {
cwd,
env,