CodeQL alert #54 (js/identity-replacement, medium): https://github.com/bounded-systems/prx/security/code-scanning/54
packages/prx/scripts/codemod/extract-module.ts:179 calls .replace(/\.ts$/, ".ts") on the result of targetRel.split("/").pop() — replacing '.ts' with itself, a no-op. pop() already returns the filename with its extension, so the .replace(...) is dead code (likely a leftover from when it mapped .ts→.js or stripped the extension).
Fix: drop the .replace(/\.ts$/, ".ts") call (moduleSpecifier becomes ./${targetRel.split('/').pop()}). Benign — codemod tooling, not product runtime — but it clears the standing CodeQL alert on main.
AC:
CodeQL alert #54 (js/identity-replacement, medium): https://github.com/bounded-systems/prx/security/code-scanning/54
packages/prx/scripts/codemod/extract-module.ts:179 calls
.replace(/\.ts$/, ".ts")on the result oftargetRel.split("/").pop()— replacing '.ts' with itself, a no-op.pop()already returns the filename with its extension, so the.replace(...)is dead code (likely a leftover from when it mapped .ts→.js or stripped the extension).Fix: drop the
.replace(/\.ts$/, ".ts")call (moduleSpecifier becomes./${targetRel.split('/').pop()}). Benign — codemod tooling, not product runtime — but it clears the standing CodeQL alert on main.AC: