Does react-scripts start execute 'Powershell -encodedCommand'?

[chfw]

Someone in information security claim that when 'npm start' in git bash shell under Windows OS, 'powershell -encodedcommand ...' was executed, which will bring up security alerts!

Hence, I would like to know if this is really true? And what is full command done by powershell?

why is 'Powershell -encodedCommand' a problem? it allows you to execute a command that escapes audit.