Fix code scanning alert no. 29: Regular expression injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

packages/react-dev-utils/WebpackDevServerUtils.js

@@ -11,6 +11,7 @@ const fs = require('fs');
 const path = require('path');
 const url = require('url');
 const chalk = require('chalk');
+const _ = require('lodash');
 const detect = require('detect-port-alt');
 const isRoot = require('is-root');
 const prompts = require('prompts');
@@ -327,7 +328,7 @@ function prepareProxy(proxy, appPublicFolder, servedPathname) {
   function mayProxy(pathname) {
     const maybePublicPath = path.resolve(
       appPublicFolder,
-      pathname.replace(new RegExp('^' + servedPathname), ''),
+      pathname.replace(new RegExp('^' + _.escapeRegExp(servedPathname)), ''),
     );
     const isPublicFileRequest = fs.existsSync(maybePublicPath);
     // used by webpackHotDevClient

packages/react-dev-utils/package.json

@@ -75,7 +75,8 @@
     "recursive-readdir": "^2.2.2",
     "shell-quote": "^1.7.3",
     "strip-ansi": "^6.0.1",
-    "text-table": "^0.2.0"
+    "text-table": "^0.2.0",
+    "lodash": "^4.17.21"
   },
   "devDependencies": {
     "cross-env": "^7.0.3",