fix: fix path regexp cve

package.json

@@ -1,7 +1,7 @@
 {
   "name": "koishi-plugin-public",
   "description": "Serve static files",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",
   "files": [
@@ -43,14 +43,14 @@
     }
   },
   "peerDependencies": {
-    "koishi": "^4.16.3"
+    "koishi": "^4.18.0"
   },
   "devDependencies": {
-    "@koishijs/plugin-server": "^3.1.3",
-    "@types/node": "^20.10.2",
-    "esbuild": "^0.18.20",
+    "@koishijs/plugin-server": "^3.2.3",
+    "@types/node": "^22.1.0",
+    "esbuild": "^0.23.1",
     "esbuild-register": "^3.5.0",
-    "koishi": "^4.16.3",
-    "typescript": "^5.3.2"
+    "koishi": "^4.18.0",
+    "typescript": "^5.5.3"
   }
 }

src/index.ts

@@ -1,7 +1,7 @@
 import { createReadStream, Stats } from 'fs'
 import {} from '@koishijs/plugin-server'
 import { stat } from 'fs/promises'
-import { Context, noop, sanitize, z } from 'koishi'
+import { Context, escapeRegExp, noop, sanitize, z } from 'koishi'
 import { extname, resolve } from 'path'
 
 export const name = 'public'
@@ -25,7 +25,7 @@ export function apply(ctx: Context, config: Config) {
   const root = resolve(ctx.baseDir, config.root)
   const path = sanitize(config.path)
 
-  ctx.server.get(path + '(/.+)+', async (ctx, next) => {
+  ctx.server.get(path + '(.*)', async (ctx, next) => {
     const filename = resolve(root, ctx.path.slice(path.length).replace(/^\/+/, ''))
     if (!filename.startsWith(root)) return next()
     const stats = await stat(filename).catch<Stats>(noop)