From 03aa9ca1f89f97885c74471c2fe2915c643c95ab Mon Sep 17 00:00:00 2001
From: Packeting <127834955+Packeting1@users.noreply.github.com>
Date: Mon, 29 Dec 2025 10:29:55 +0800
Subject: [PATCH] fix: avoid shell in changelog git calls

---
 frappe/utils/change_log.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/frappe/utils/change_log.py b/frappe/utils/change_log.py
index 67b1615b1e..3be17ffb3c 100644
--- a/frappe/utils/change_log.py
+++ b/frappe/utils/change_log.py
@@ -136,8 +136,8 @@ def get_app_branch(app):
 	try:
 		with open(os.devnull, "wb") as null_stream:
 			result = subprocess.check_output(
-				f"cd ../apps/{app} && git rev-parse --abbrev-ref HEAD",
-				shell=True,
+				["git", "-C", f"../apps/{app}", "rev-parse", "--abbrev-ref", "HEAD"],
+				shell=False,
 				stdin=null_stream,
 				stderr=null_stream,
 			)
@@ -152,8 +152,8 @@ def get_app_last_commit_ref(app):
 	try:
 		with open(os.devnull, "wb") as null_stream:
 			result = subprocess.check_output(
-				f"git -C ../apps/{app} rev-parse --short=7 HEAD",
-				shell=True,
+				["git", "-C", f"../apps/{app}", "rev-parse", "--short=7", "HEAD"],
+				shell=False,
 				stdin=null_stream,
 				stderr=null_stream,
 			)