[dev-tool] Customization apply command could be dangerous #37307
Description
apply can delete the entire package directory if --targetDirectory is set to . (or otherwise resolves to the project root). Since the command does fs.rm(customizedDirectory, { recursive: true }), it would wipe the repo contents and then copy the merge result back. Please add validation to reject target directories that resolve to the project root (or are empty), and also ensure sourceDirectory and targetDirectory are distinct/non-overlapping paths before proceeding.
Originally posted by @Copilot in #37306 (comment)