fix(publish-flat): Regular expression injection (#1081)

ffflorian · github-advanced-security[bot] · ffflorian · commit c2af9b70ee86 · 2026-01-09T21:21:29.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/packages/publish-flat/src/PublishFlat.ts b/packages/publish-flat/src/PublishFlat.ts
@@ -47,7 +47,8 @@ export class PublishFlat {
 
     this.packageDir = path.resolve(this.options.packageDir);
     this.dirToFlatten = this.cleanDirName(this.options.dirToFlatten);
-    this.dirToFlattenRegex = new RegExp(`${this.dirToFlatten}[\\/]`);
+    const escapedDirToFlatten = this.dirToFlatten.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    this.dirToFlattenRegex = new RegExp(`${escapedDirToFlatten}[\\/]`);
   }
 
   async build(): Promise<string | void> {

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,8 @@ export class PublishFlat {`
`47`	`47`
`48`	`48`	`this.packageDir = path.resolve(this.options.packageDir);`
`49`	`49`	`this.dirToFlatten = this.cleanDirName(this.options.dirToFlatten);`
`50`		- this.dirToFlattenRegex = new RegExp(`${this.dirToFlatten}[\\/]`);
	`50`	`+ const escapedDirToFlatten = this.dirToFlatten.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&');`
	`51`	+ this.dirToFlattenRegex = new RegExp(`${escapedDirToFlatten}[\\/]`);
`51`	`52`	`}`
`52`	`53`
`53`	`54`	`async build(): Promise<string \| void> {`