diff --git a/eng/pr-risk-scan.mjs b/eng/pr-risk-scan.mjs
index 3acce983..5fe71924 100644
--- a/eng/pr-risk-scan.mjs
+++ b/eng/pr-risk-scan.mjs
@@ -148,7 +148,7 @@ function normalizeRelativePath(value) {
     return "";
   }
 
-  if (cleaned.includes("..")) {
+  if (/(^|\/)\.\.(\/|$)/.test(cleaned)) {
     throw new Error(`Unsafe relative path in changed files list: ${value}`);
   }