This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Patched by version 2.0.0. Previous releases are deprecated in npm.
Make sure to escape git commit messages when using the commitMessage option for the update function.