From b9ea0b7d29f9ca7190e96703f8c80222cf9eeb9a Mon Sep 17 00:00:00 2001
From: Aaron Powell <me@aaron-powell.com>
Date: Thu, 11 Jun 2026 16:16:04 +1000
Subject: [PATCH] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 eng/pr-risk-scan.mjs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/pr-risk-scan.mjs b/eng/pr-risk-scan.mjs
index 3acce983..5fe71924 100644
--- a/eng/pr-risk-scan.mjs
+++ b/eng/pr-risk-scan.mjs
@@ -148,7 +148,7 @@ function normalizeRelativePath(value) {
     return "";
   }
 
-  if (cleaned.includes("..")) {
+  if (/(^|\/)\.\.(\/|$)/.test(cleaned)) {
     throw new Error(`Unsafe relative path in changed files list: ${value}`);
   }