fix: Regular expression injection (#1081)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: ffflorian

packages/publish-flat/src/PublishFlat.ts

@@ -47,7 +47,8 @@ export class PublishFlat {
 
     this.packageDir = path.resolve(this.options.packageDir);
     this.dirToFlatten = this.cleanDirName(this.options.dirToFlatten);
-    this.dirToFlattenRegex = new RegExp(`${this.dirToFlatten}[\\/]`);
+    const escapedDirToFlatten = this.dirToFlatten.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    this.dirToFlattenRegex = new RegExp(`${escapedDirToFlatten}[\\/]`);
   }
 
   async build(): Promise<string | void> {