From 2d7cd1cf56611aa828b4571624b7a6ea02976411 Mon Sep 17 00:00:00 2001
From: Florian Imdahl <ffflorian@users.noreply.github.com>
Date: Fri, 9 Jan 2026 21:10:38 +0100
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 8: Regular
 expression injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 packages/publish-flat/src/PublishFlat.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/publish-flat/src/PublishFlat.ts b/packages/publish-flat/src/PublishFlat.ts
index 1ddd28a8e..aafefc816 100644
--- a/packages/publish-flat/src/PublishFlat.ts
+++ b/packages/publish-flat/src/PublishFlat.ts
@@ -47,7 +47,12 @@ export class PublishFlat {
 
     this.packageDir = path.resolve(this.options.packageDir);
     this.dirToFlatten = this.cleanDirName(this.options.dirToFlatten);
-    this.dirToFlattenRegex = new RegExp(`${this.dirToFlatten}[\\/]`);
+    const escapedDirToFlatten = PublishFlat.escapeRegExp(this.dirToFlatten);
+    this.dirToFlattenRegex = new RegExp(`${escapedDirToFlatten}[\\/]`);
+  }
+
+  private static escapeRegExp(value: string): string {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
   }
 
   async build(): Promise<string | void> {

From 03060dddb9702eb5ef8d934e02abc8efefe72d80 Mon Sep 17 00:00:00 2001
From: Florian Imdahl <git@ffflorian.de>
Date: Fri, 9 Jan 2026 21:17:26 +0100
Subject: [PATCH 2/2] refactor

---
 packages/publish-flat/src/PublishFlat.ts | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/packages/publish-flat/src/PublishFlat.ts b/packages/publish-flat/src/PublishFlat.ts
index aafefc816..8fb8c287b 100644
--- a/packages/publish-flat/src/PublishFlat.ts
+++ b/packages/publish-flat/src/PublishFlat.ts
@@ -47,14 +47,10 @@ export class PublishFlat {
 
     this.packageDir = path.resolve(this.options.packageDir);
     this.dirToFlatten = this.cleanDirName(this.options.dirToFlatten);
-    const escapedDirToFlatten = PublishFlat.escapeRegExp(this.dirToFlatten);
+    const escapedDirToFlatten = this.dirToFlatten.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
     this.dirToFlattenRegex = new RegExp(`${escapedDirToFlatten}[\\/]`);
   }
 
-  private static escapeRegExp(value: string): string {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-  }
-
   async build(): Promise<string | void> {
     const arborist = new Arborist({path: this.packageDir});
     const tree = await arborist.loadActual();