Fun fact: psql has a syntax through which one can use a form of prepared statements to avoid exploding when the password contains sql-sensitive characters[1]: https://www.postgresql.org/docs/17/app-psql.html#APP-PSQL-OP... and https://www.postgresql.org/docs/17/app-psql.html#APP-PSQL-IN... although regrettably it is not compatible with the "-c" invocation for some terrible reason, thus requiring the SQL to actually come from stdin:

  psql --set newpass="bobby';--drop table" <<'FOO'
  ALTER USER postgres WITH PASSWORD :'newpass';
  FOO

Thanks. Feel free to suggest a PR.