fix: replace shell-interpolation with system() in DNFPackageManager

Backtick calls interpolated the package name directly into a shell
command string, allowing metacharacters (;, $(), backticks) to execute
arbitrary commands. Using system() with separate arguments bypasses the
shell entirely, so the package name is passed as a literal argv element
to dnf.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

0 files changed, 0 insertions, 0 deletions