fix: do not expose files from parent folders via preview-docs server (#347)

packages/cli/src/utils.ts

@@ -290,4 +290,12 @@ export function slash(path: string): string {
   }
 
   return path.replace(/\\/g, '/');
+}
+
+/**
+ * Checks if dir is subdir of parent
+ */
+export function isSubdir(parent: string, dir: string): boolean {
+  const relative = path.relative(parent, dir);
+  return !!relative && !/^..($|\/)/.test(relative) && !path.isAbsolute(relative);
 }