Potential fix for code scanning alert no. 3: Incomplete regular expression for hostnames

[tuyen-at-work]

Potential fix for https://github.com/precise-alloy/regression-test/security/code-scanning/3

Use an explicitly escaped regex-safe literal for hostname dots in the test fixture where ref may flow into regex handling.
Best fix here: update the ref value on line 50 from https://prod.example.com to https://prod\.example\.com in tests/replacements.test.ts. This keeps the intended literal hostname match while preventing wildcard-dot interpretation if regex APIs are used internally. No import or helper changes are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: bb183e5f-c713-4037-937b-7b707773c38e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tuyen-at-work]

@copilot check failed tests.

[Copilot]

@copilot check failed tests.

Fixed in f9f2291. The previous commit changed ref: 'https://prod.example.com' to ref: 'https://prod\\.example\\.com' in the plain-string replacement test. In non-regex mode, applyReplacements uses String.replace(ref, test) which treats ref as a literal string — the backslashes became literal characters that didn't match the actual URL, so the replacement never fired. Reverted to the correct unescaped URL for the plain-string test case. All 70 tests now pass.