[vagrant.js] Command injection in vagrant.js

All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-25962
• https://security.snyk.io/vuln/SNYK-JS-VAGRANTJS-3175614
• https://github.com/advisories/GHSA-54jw-jqr9-6cj9