fix: mandate session-token regular expression injection

[taptapsh]

onchainkit/packages/onchainkit/scripts/publish-prerelease.js

Line 117 in de893d7

const [tagBase, tagCount] = currentTagVersion.split(new RegExp(`-${tag}\\.`));

fix this issue, we need to ensure that the value of tag—which is passed from user input via process.argv—is properly escaped for use in a regular expression. The recommended, reliable way to do this is to use a well-established sanitization helper, such as Lodash's escapeRegExp function. As Lodash is a mainstream dependency, it's safe and reasonable to add it as an import to this script.

The fix involves:

• Adding an import for Lodash (ideally just escapeRegExp to keep the import minimal).
• Escaping tag before incorporating it into the regex in line 117. Assign the result to a local variable (e.g., escapedTag).
• Use this sanitized escapedTag in the regex construction.

These edits should be made within the getNextVersionNumber function in packages/onchainkit/scripts/publish-prerelease.js.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[vercel]

@taptapsh is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

[cb-heimdall]

Review Error for kreeksec @ 2025-12-03 09:02:58 UTC
User failed mfa authentication, either user does not exist or public email is not set on your github profile. \ see go/mfa-help