Potential fix for code scanning alert no. 4: Incomplete URL substring sanitization

ascorbic · github-advanced-security[bot] · web-flow · commit e1fdbc628b56 · 2025-08-09T13:53:20.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/packages/cache-handlers/test/deno/security.test.ts b/packages/cache-handlers/test/deno/security.test.ts
@@ -45,9 +45,10 @@ Deno.test("Security - Extremely long cache keys", () => {
 
 	// Should not throw and should handle gracefully
 	const cacheKey = defaultGetCacheKey(request);
+	const parsedUrl = new URL(cacheKey);
 	assert(
-		cacheKey.startsWith("https://example.com"),
-		"Cache key should start with origin",
+		parsedUrl.host === "example.com",
+		"Cache key should have host 'example.com'",
 	);
 	assert(cacheKey.length > 100000, "Cache key should be long");
 });
@@ -75,9 +76,10 @@ Deno.test("Security - Vary header bomb attack", () => {
 
 	// Should complete in reasonable time (less than 100ms)
 	assert(duration < 100, `Cache key generation took too long: ${duration}ms`);
+	const parsedUrl = new URL(cacheKey);
 	assert(
-		cacheKey.startsWith("https://example.com"),
-		"Cache key should start with origin",
+		parsedUrl.host === "example.com",
+		"Cache key should have host 'example.com'",
 	);
 });
 
