Fix: `isRelativeURL` Function Fails Critical Test Cases

[mdawoud27]

Description:

The isRelativeURL function contains a flawed regex pattern that incorrectly identifies certain URLs, leading to three failing test cases and potential security vulnerabilities.

Steps to reproduce:

1. Run the test suite: apps/meteor/tests/unit/lib/utils/isRelativeURL.spec.ts
2. Observe three failing test cases marked with // TODO comments

Expected behavior:

• Simple relative paths like 'test' should return true (relative to current directory)
• Directory references like '.' and '..' should return true
• Absolute URIs with schemes (e.g., data:, https:, javascript:) should return false
• Paths starting with / should return true (root-relative paths)
• Paths like ./test and ../test should return true (already working)

Actual behavior:

Three testcases fail

Server Setup Information:

• Operating System: Linux
• NodeJS Version: 22.16.0

Proposed Solution

The regex should be updated to:

1. Check if the URL contains a protocol scheme (e.g., protocol:) and return false if it does
2. Return true for paths without schemes (including simple filenames, ., .., /path, ./path, ../path)

A proper implementation should use URL parsing logic rather than regex, or at minimum, explicitly reject strings matching the pattern [a-zA-Z][a-zA-Z\d+\-.]*: which indicates an absolute URI with a scheme.