Potential fix for code scanning alert no. 8: Regular expression injection

[ffflorian]

Potential fix for https://github.com/ffflorian/node-packages/security/code-scanning/8

In general, to fix regex injection you must ensure any user‑controlled string embedded into a RegExp pattern is first escaped so all regex metacharacters lose their special meaning. That means either (a) using a well‑tested escaping helper (for example escape-string-regexp or lodash’s escapeRegExp), or (b) writing a small local escaping function.

Here, the single best fix is to escape this.dirToFlatten right before using it to construct dirToFlattenRegex. We can add a small local helper function in PublishFlat (or a top‑level function in the same file) that escapes regex meta‑characters, and then build the regex from the escaped value. This preserves all existing semantics (we still match directory prefixes followed by / or \) while preventing users from injecting arbitrary regex fragments.

Concretely, in packages/publish-flat/src/PublishFlat.ts:

• Add a private method (or top‑level function) escapeRegExp that replaces all regex metacharacters ([.*+?^${}()|[\]\\]) with escaped versions.
• In the constructor, after this.dirToFlatten = this.cleanDirName(...), call this.escapeRegExp(this.dirToFlatten) and use that escaped string when constructing this.dirToFlattenRegex.
• No changes are required in cli.ts; it will continue to pass the raw argument, which is now safely escaped inside PublishFlat.

No new imports are necessary because the escaping can be implemented in a few lines.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.