[codecov] Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the “gcov-args” argument.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7596
• https://snyk.io/vuln/SNYK-JS-CODECOV-543183
• https://github.com/advisories/GHSA-mh2h-6j8q-x246