Alert autofix 134

[aka76bm]

No description provided.

[nodejs-github-bot]

Review requested:

• @nodejs/web-infra

[MattIPv4]

Please can you explain what this is doing and why?

Also, can you add some tests to demonstrate what issue you are fixing here?

[ovflowd]

"Co-authored-by: Copilot Autofix powered by AI" seems like AI generated advisory.

[MattIPv4]

It's the same automated fix as in #59520. I'm not against an automated fix, but it needs some explaining, and given the issue it proclaims to be fixing, needs some tests.

[ovflowd]

The previous regex does the exact same thing as what this code does. That's what the g argument on the regex does.

This tooling is going to be replaced soon, too.

[aka76bm]

@MattIPv4 @ovflowd Thank you for the review! Let me explain this fix:

🔍 What This Fix Addresses

GitHub Code Scanning Alert #134 flagged an "Incomplete multi-character" issue in the regex handling. The current code uses:

const pattern = /[aeiou]/g;

[aka76bm]

I'll add comprehensive test cases showing:

• The original behavior is preserved
• The specific edge cases that triggered the security alert
• Performance characteristics of the new approach

[aka76bm]

I understand the concern about redundancy. The security scanner identified this as a potential vulnerability in specific edge cases. Rather than disputing the scanner, would you prefer I:

1. Close this PR and mark the alert as false positive?
2. Modify the existing regex instead of replacing the approach?
3. Provide specific reproduction cases for the vulnerability?

[ovflowd]

The original PR got closed exactly because this change is marked as "wont-fix". Please don't come to nodejs/node with purely AI generated PRs and generated replies.

I'm closing this and marking as spam.