child_process: disallow args in execFile/spawn when shell option is true

[DanielVenable]

This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped while
really they are just concatenated. This makes it easy to introduce bugs
and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with { shell: true }.

Fixes: #57143

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.27%. Comparing base (b7beb33) to head (7a9d737).
Report is 19 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #57199      +/-   ##
==========================================
- Coverage   90.30%   90.27%   -0.03%     
==========================================
  Files         630      630              
  Lines      184513   184639     +126     
  Branches    36072    36129      +57     
==========================================
+ Hits       166629   166689      +60     
- Misses      10967    11023      +56     
- Partials     6917     6927      +10     

Files with missing lines	Coverage Δ
lib/child_process.js	97.74% <100.00%> (+0.01%)	⬆️

... and 36 files with indirect coverage changes

[RafaelGSS]

This is a semver-major change as it will break people current using the args approach (even being ignored).

I'm not sure if we want to change the API in those situations. I think adding a process.emitWarning could be safer approach in this situation (also semver-major)

[aduh95]

Let's add an entry in deprecation.md since we're effectively deprecating it