fix: path traversal + vulnerable dependency updates

[Copilot]

Three high/moderate npm vulnerabilities and two path traversal vectors in source handling.

Dependency updates (npm audit fix)

• simple-git 3.33.0 → 3.36.0 — RCE (GHSA-hffm-xvc3-vprc); minimum version in package.json bumped to ^3.36.0
• picomatch 2.3.1 → 2.3.2 — High: method injection + ReDoS (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj)
• postcss 8.5.8 → 8.5.15 — Moderate: XSS (GHSA-qx2v-qp2m-jg93)

Note: picomatch and postcss are transitive dependencies and cannot be declared in package.json; they are locked to safe versions via package-lock.json.

Path traversal in sync.ts / status.ts

path.join(cacheDir, entry.source) silently normalises .. sequences, so a tampered manifest entry like source: "../../etc/passwd" resolves outside the cache directory — enabling arbitrary file read/write.

Added assertPathWithin(filePath, containingDir, label) and applied it in syncEntry() and determineState():

// src/sync.ts
export function assertPathWithin(filePath: string, containingDir: string, label: string): void {
  const resolved = path.resolve(filePath);
  const base = path.resolve(containingDir);
  if (resolved !== base && !resolved.startsWith(base + path.sep)) {
    throw new Error(`${label} escapes the expected directory boundary.`);
  }
}

Guards cover: non-glob source path, glob base dir, each glob match, and each computed destination file. status.ts returns 'missing' on violation rather than throwing, consistent with its existing error-handling pattern.

[madkoo]

@copilot Should the package.json get updated too with newer versions ?

[Copilot]

@copilot Should the package.json get updated too with newer versions ?

Good catch. simple-git is the only direct dependency that was vulnerable — picomatch and postcss are transitive and can't be declared in package.json. Updated the simple-git range from ^3.22.0 to ^3.36.0 in [this commit]($(git -C /tmp/workspace/madkoo/distributed-files rev-parse --short HEAD)) so fresh installs can't resolve a vulnerable release.