https://github.com/mongodb-js/compass/blob/404a91700cc44c474cdef2e3d174e0198c7bb579/scripts/run-in-dir.js#L8-L8
https://github.com/mongodb-js/compass/blob/404a91700cc44c474cdef2e3d174e0198c7bb579/scripts/run-in-dir.js#L8-L8

Fix the issue will replace the use of `exec` with `execFile` in the `runInDir` function. The `execFile` method allows us to pass the command and its arguments as separate parameters, avoiding the need to construct a single shell command string. This approach ensures that special characters in paths or arguments are properly escaped and do not alter the behavior of the command.

Specifically:
1. Modify the `runInDir` function in `scripts/run-in-dir.js` to accept the command and its arguments as separate parameters.
2. Update the call to `runInDir` in `scripts/workspace-dependencies.js` to pass the `LERNA_BIN` command and its arguments as an array.

Dynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.

1. 1. 1. 1. References
            [Command Injection](https://www.owasp.org/index.php/Command_Injection)
            [CWE-78](https://cwe.mitre.org/data/definitions/78.html)
            [CWE-88](https://cwe.mitre.org/data/definitions/88.html)