refactor(package-manager): remove unused escapeArgForWindowsShell helper

The cmd.exe array invocation (shell:false) approach does not require
manual argument escaping. Remove the dead helper per code review
feedback on #32892.

Author: g0w6y

packages/angular_devkit/schematics/tasks/package-manager/executor.ts

@@ -9,43 +9,6 @@
 import { BaseException } from '@angular-devkit/core';
 import { SpawnOptions, spawn } from 'node:child_process';
 
-/**
- * Escapes a single argument for safe use with Windows cmd.exe.
- * Prevents OS command injection (CWE-78) by wrapping in double quotes
- * and correctly escaping embedded quotes and backslashes.
- *
- * Algorithm: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/
- */
-function escapeArgForWindowsShell(arg: string): string {
-  // FIX A: empty string must produce a quoted empty token.
-  // Returning bare '' causes cmd.exe to drop the arg silently,
-  // shifting all subsequent args by one (argument confusion).
-  if (!arg) return '""';
-  // Fast path: only shell-safe chars, no quoting needed
-  if (/^[a-zA-Z0-9_\-./\\:@]+$/.test(arg)) {
-    return arg;
-  }
-  // FIX B: escape % BEFORE wrapping in double-quotes.
-  // cmd.exe expands %VAR% before evaluating quote context, so
-  // %COMSPEC% inside "..." still expands (BatBadBut / CVE-2024-3566).
-  // %% disables expansion and becomes a literal percent sign.
-  arg = arg.replace(/%/g, '%%');
-  let result = '"';
-  let slashes = 0;
-  for (const char of arg) {
-    if (char === '\\') {
-      slashes++;
-    } else if (char === '"') {
-      result += '\\'.repeat(slashes * 2 + 1) + '"';
-      slashes = 0;
-    } else {
-      result += '\\'.repeat(slashes) + char;
-      slashes = 0;
-    }
-  }
-  result += '\\'.repeat(slashes * 2) + '"';
-  return result;
-}
 
 
 import * as path from 'node:path';