From 465c12dd75f452b4df538dccb302e9106562baa0 Mon Sep 17 00:00:00 2001 From: Alex Donesky Date: Wed, 24 Jun 2026 13:59:11 -0500 Subject: [PATCH] fix: escape regex metacharacters when building changelog link pattern Resolves CodeQL js/incomplete-sanitization (high) in bump-dependent-playgrounds.ts. packageName was interpolated into a dynamically-constructed RegExp after escaping only forward slashes, leaving backslashes and other regex metacharacters unescaped. Replace the ad-hoc .replace with a proper escapeRegExp helper. --- scripts/bump-dependent-playgrounds.ts | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/scripts/bump-dependent-playgrounds.ts b/scripts/bump-dependent-playgrounds.ts index 93fc2b7b..000c3306 100644 --- a/scripts/bump-dependent-playgrounds.ts +++ b/scripts/bump-dependent-playgrounds.ts @@ -202,6 +202,17 @@ async function bumpPlaygroundIfNeeded( return true; } +/** + * Escapes regular-expression metacharacters so a string can be safely embedded + * in a dynamically-constructed `RegExp`. + * + * @param value - The raw string to escape. + * @returns The string with all regex metacharacters escaped. + */ +function escapeRegExp(value: string): string { + return value.replace(/[.*+?^${}()|[\]\\]/gu, '\\$&'); +} + /** * Updates the CHANGELOG.md file for a playground package. * @@ -238,7 +249,7 @@ ${depsList} // Update the links at the bottom const unreleasedLinkPattern = new RegExp( - `\\[Unreleased\\]: (https://github\\.com/MetaMask/connect-monorepo/compare/${packageName.replace(/\//gu, '\\/')}@)[\\d.]+\\.\\.\\.HEAD`, + `\\[Unreleased\\]: (https://github\\.com/MetaMask/connect-monorepo/compare/${escapeRegExp(packageName)}@)[\\d.]+\\.\\.\\.HEAD`, 'u', );