fix(security): remove shell:true from spawn in runCypressTestsLocally [APS-19013]

INJ-004: drop shell:true from the spawn options in helper.js
runCypressTestsLocally. spawn passes argv directly to npx so the shell
is not needed. Eliminates shell-injection via metacharacters in --spec /
other rawArgs reaching the local Cypress runner (CWE-78).

Author: Jimesh-browserstack

bin/testObservability/helper/helper.js

@@ -930,7 +930,7 @@ exports.runCypressTestsLocally = (bsConfig, args, rawArgs) => {
     const cypressProcess = spawn(
       'npx',
       ['cypress', 'run', ...getReRunSpecs(rawArgs.slice(1)), ...getLocalSessionReporter()],
-      { stdio: 'inherit', cwd: process.cwd(), env: process.env, shell: true }
+      { stdio: 'inherit', cwd: process.cwd(), env: process.env }
     );
     cypressProcess.on('close', async (code) => {
       logger.info(`Cypress process exited with code ${code}`);