Potential fix for code scanning alert no. 350: Artifact poisoning

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

Author: Dargon789

.github/workflows/npm.yml

@@ -292,21 +292,30 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_REGISTRY_URL: ${{ env.NPM_REGISTRY_URL }}
+          # Use the validated release version derived earlier, not any arbitrary environment value.
+          RELEASE_VERSION: ${{ steps.release-version.outputs.RELEASE_VERSION }}
         run: |
           set -euo pipefail
-          bun run build
 
-          # Validate RELEASE_VERSION before exporting it. Only allow semantic-version-like strings,
-          # e.g. 1.2.3 or 1.2.3-beta.1. Reject anything else to avoid artifact poisoning.
+          # Validate RELEASE_VERSION before using or exporting it. Only allow semantic-version-like strings,
+          # and reject any value containing whitespace or newlines to prevent artifact poisoning.
           if [[ -z "${RELEASE_VERSION:-}" ]]; then
             echo "RELEASE_VERSION is empty or unset; refusing to export." >&2
             exit 1
           fi
+          # Disallow whitespace (including newlines, tabs) in RELEASE_VERSION
+          if [[ "$RELEASE_VERSION" =~ [[:space:]] ]]; then
+            echo "RELEASE_VERSION contains whitespace; refusing to export." >&2
+            exit 1
+          fi
+          # Only allow versions like 1.2.3 or 1.2.3-beta.1
           if ! [[ "$RELEASE_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
             echo "RELEASE_VERSION '$RELEASE_VERSION' has an invalid format; refusing to export." >&2
             exit 1
           fi
 
+          bun run build
+
           printf 'RELEASE_VERSION=%s\n' "$RELEASE_VERSION" >>"$GITHUB_OUTPUT"
 
       - name: Stage Binary Into Package