[labs/cli] Fix npm install failing in Winows (#4616)

Spawning npm/npx by adding .cmd for Windows is considered insecure (nodejs/node@9095c914ed).
The npm install command for the cli and the npx command in testing will now go through a shell instead.

.changeset/empty-icons-move.md

@@ -0,0 +1,5 @@
+---
+'@lit-labs/cli': patch
+---
+
+Use a shell when spawning a child process to install packages. This fixes an error that would happen when command is run in Windows with the latest Node.js security fix in v21.7.3.

packages/labs/cli/src/lib/lit-cli.ts

@@ -288,12 +288,12 @@ export class LitCli {
     const installFrom = reference.installFrom ?? reference.importSpecifier;
     this.console.log(`Installing ${installFrom}...`);
     const child = childProcess.spawn(
-      // https://stackoverflow.com/questions/43230346/error-spawn-npm-enoent
-      /^win/.test(process.platform) ? 'npm.cmd' : 'npm',
+      'npm',
       ['install', '--save-dev', installFrom],
       {
         cwd: this.cwd,
         stdio: [process.stdin, 'pipe', 'pipe'],
+        shell: true,
       }
     );
     (async () => {

packages/tests/src/utils/assert-goldens.ts

@@ -10,7 +10,7 @@ import fsExtra from 'fs-extra';
 import * as dirCompare from 'dir-compare';
 import * as path from 'path';
 import * as diff from 'diff';
-import {execFileSync} from 'child_process';
+import {execSync} from 'child_process';
 
 const __dirname = path.dirname(new URL(import.meta.url).pathname);
 const red = '\x1b[31m';
@@ -96,8 +96,7 @@ export const assertGoldensMatch = async (
       '--write',
       `${path.join(outputDir, formatGlob)}`,
     ];
-    // https://stackoverflow.com/questions/43230346/error-spawn-npm-enoent
-    execFileSync(/^win/.test(process.platform) ? 'npx.cmd' : 'npx', args); //
+    execSync(`npx ${args.join(' ')}`);
   }
 
   if (process.env.UPDATE_TEST_GOLDENS) {