[Security] Command Injection vulnerability in fetch() before v1.11.0

[yuzhongqi]

Description:
The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way such that additional flags can be set. The additional flags can be used to perform a command injection.
Suggestion:
Upgrade git from 1.9.1 to 1.11.0 to fix the vulnerability.