fix(security): prevent SSRF and header injection in paste-url;fix(pay…

[nameearly]

fix(security): prevent SSRF and header injection in paste-url;
fix(payload): preserve paste-url error status and correct external file metadata

[github-actions]

Pull Request titles must follow the Conventional Commits specification and have valid scopes.

Unknown scope "security" found in pull request title "fix(security): prevent SSRF and header injection in paste-url;fix(pay…". Scope must match one of: cpa, claude, db-*, db-d1-sqlite, db-mongodb, db-postgres, db-vercel-postgres, db-sqlite, db-d1-sqlite, drizzle, email-*, email-nodemailer, email-resend, eslint, graphql, kv, kv-redis, live-preview, live-preview-react, live-preview-vue, next, payload-cloud, plugin-cloud, plugin-cloud-storage, plugin-ecommerce, plugin-form-builder, plugin-import-export, plugin-mcp, plugin-multi-tenant, plugin-nested-docs, plugin-redirects, plugin-search, plugin-sentry, plugin-seo, plugin-stripe, richtext-*, richtext-lexical, richtext-slate, sdk, storage-*, storage-azure, storage-gcs, storage-r2, storage-uploadthing, storage-vercel-blob, storage-s3, translations, ui, templates, examples(/(\w|-)+)?, deps.

feat(ui): add Button component
^    ^    ^
|    |    |__ Subject
|    |_______ Scope
|____________ Type

[nameearly]

change title