Fixes #10448

When calling `bundle install` with `--jobs=<n>`, bundle persists this
argument in `.bundle/config`. If we run `BUNDLE_JOBS=<n> bundle install`
instead, this is not persisted.

Fixes #10425

Co-authored-by: Marc Cornellà <hello@mcornella.com>

BREAKING CHANGE: the plugin now checks for the `docker-compose` command instead
of trying whether `docker compose` is a valid command. This means that if the
old command is still installed it will be used instead. To use `docker compose`,
uninstall any old copies of `docker-compose`.

Fixes #10409

Fixes #10428

Closes #9659
Co-authored-by: Jeff Warner <jeff@develops.software>

Fixes #10422

The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.

The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.

Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.

The `title` function unsafely prints its input without sanitization, which if used
with custom user code that calls it, it could trigger command injection.

The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is
changed in the user's shell environment with a carefully crafted value. This is
highly unlikely to occur (and if possible, other methods would be used instead),
but with this change the exploit of these two functions is now impossible.

The plugin unsafely processes directory paths in pop_past and pop_future.
This commit fixes that.

The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.

Reference: https://github.com/ohmyzsh/ohmyzsh/commit/7f49494#commitcomment-60117011

Fixes #10404

Co-authored-by: Marc Cornellà <hello@mcornella.com>

Apple changed the name of their operating system from OS X to macOS a number of years ago. This was overdue!

As per issue  #10311

* refactor(osx): rename `osx` plugin to `macos`
* refactor(macos): Add symbolic link from old `osx` plugin name.

Closes #8370

Fixes #10350