fix(package-manager): eliminate CWE-78 OS command injection across all Windows spawn paths

Five locations concatenated user-controlled arguments into a raw shell
string executed by cmd.exe (shell:true), allowing metacharacters such
as &, |, >, ^ in a package specifier or --package-manager flag to
inject and execute arbitrary OS commands silently alongside the
legitimate package manager process.

Affected paths and their fix:
- host.ts: shell:isWin32 + args.join concat replaced with cmd.exe
  array invocation (shell:false) so Node.js controls arg quoting
- executor.ts: escapedArgs+string-concat pattern replaced with
  cmd.exe direct array invocation; shell:true removed
- ssr-dev-server/utils.ts: args.join concat replaced with cmd.exe
  array dispatch on Windows, safe array-form on POSIX
- ssr-dev-server/index.ts: stray shell:true removed from
  spawnAsObservable call-site (platform dispatch in utils.ts)
- workspace/index.ts: ALLOWED_PKG_MANAGERS allowlist guard added
  before execSync to block injection via ng new --package-manager

POSIX spawn paths (array-form, shell:false) are unchanged.
Follows pattern from #32678 which patched repo-init/executor.ts.

CWE: CWE-78 (OS Command Injection)

Author: g0w6y

packages/angular_devkit/schematics/tasks/package-manager/executor.ts

@@ -117,7 +117,7 @@ export default function (
 
     const bufferedOutput: { stream: NodeJS.WriteStream; data: Buffer }[] = [];
     const spawnOptions: SpawnOptions = {
-      shell: true,
+      shell: false,
       cwd: path.join(rootDirectory, options.workingDirectory || ''),
     };
     if (options.hideOutput) {
@@ -166,15 +166,20 @@ export default function (
         // Workaround for https://github.com/sindresorhus/ora/issues/136.
         discardStdin: process.platform != 'win32',
       }).start();
-      // SECURITY FIX (CWE-78): escape each arg individually instead of raw concatenation.
-      const escapedArgs =
-        spawnOptions.shell === true
-          ? args.map(escapeArgForWindowsShell).join(' ')
-          : args.join(' ');
-      const childProcess = spawn(
-        `${taskPackageManagerName} ${escapedArgs}`,
-        spawnOptions,
-      ).on(
+      // SECURITY FIX (CWE-78): never concatenate args as a raw shell string.
+      // On Windows, package managers are .cmd scripts requiring a shell, but
+      // instead of shell:true + string concat (injection vector), we invoke
+      // cmd.exe directly with shell:false and pass each arg as an array element.
+      // Node.js then controls quoting — metacharacters in args are never
+      // interpreted by cmd.exe as shell operators.
+      const isWin32 = process.platform === 'win32';
+      const childProcess = isWin32
+        ? spawn(
+            'cmd.exe',
+            ['/d', '/s', '/c', taskPackageManagerName, ...args],
+            { ...spawnOptions, shell: false },
+          ).on(
+        : spawn(taskPackageManagerName, args, { ...spawnOptions, shell: false }).on(
         'close',
         (code: number) => {
           if (code === 0) {