Potential fix for code scanning alert no. 15: Shell command built from environment values

[Tanker187]

Potential fix for https://github.com/Tanker187/vite/security/code-scanning/15

In general, this type of issue is fixed by avoiding shell interpretation of dynamically constructed commands: instead of building a single command string, call the executable directly and pass arguments as an array. For execa/execaCommand, this means using execa with shell: false (the default) and giving the program and its arguments separately. This prevents spaces or metacharacters in viteBinPath or other arguments from altering the command structure.

Concretely here, we should:

• Replace the string-based buildCommand and serverCommand with argument arrays.
• Use execa instead of execaCommand so that the first parameter is the executable (here viteBinPath) and the second is the array of CLI arguments.
• Keep viteBinPath unchanged; only change how it is invoked.
• Adjust error messages that currently print "${buildCommand}" / "${serverCommand}" to use a safe, readable representation of the command (for example, by joining [viteBinPath, ...args] with spaces for logging only).

These changes are all confined to playground/cli-module/__tests__/serve.ts. We need to:

• Add an execa import without removing execaCommand if it’s still referenced elsewhere in the file (outside the shown snippet we cannot touch).
• Update the build section to call execa(viteBinPath, ['build'], ...).
• Update the server section to call execa(viteBinPath, viteServerArgs, ...).
• Update the logging in the catch block and in the close helper to reflect the new representation.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.