False positive: 'URL strings' alert on textlint domain-checking rule

[h13]

Package

textlint-rule-rfc2606-domains

Alert

URL strings (SUPPLY CHAIN RISK)

Socket flags example.com, example.net, example.org as external URLs that the package "may be accessing at runtime."

Why this is a false positive

This package is a textlint rule that detects placeholder domains in documentation and suggests RFC 2606 reserved domains. The flagged strings are string constants used purely for comparison — the package never makes any network requests.

// These are comparison constants, not URLs accessed at runtime
const RESERVED_DOMAINS = new Set(["example.com", "example.net", "example.org"]);

The entire source is a single file with zero runtime dependencies and no fetch, http, https, or any network imports: https://github.com/h13/textlint-rule-rfc2606-domains/blob/main/src/index.ts

Request

Please consider either:

1. Marking this as a false positive for this package
2. Excluding RFC 2606 reserved domains (example.com, example.net, example.org) from the URL strings heuristic, since they are explicitly reserved for documentation use and cannot pose a supply chain risk

[h13]

Additional analysis

I investigated the socket-cli codebase to understand how urlStrings alerts could be improved. Here's what I found:

Current flow

1. Socket API detects URL-like strings in package source and returns them as urlStrings alerts
2. addArtifactToAlertsMap() in package-alert.mts processes alerts with enable/disable filtering via socket.yml issueRules
3. No URL-level filtering exists — the only option is to disable urlStrings entirely

Proposal: Exclude RFC 2606 reserved domains from urlStrings detection

RFC 2606 reserves example.com, example.net, and example.org specifically for use in documentation and examples. By definition, these domains:

• Cannot be registered by any entity
• Cannot serve as data exfiltration endpoints
• Cannot load untrusted code
• Pose zero supply chain risk

Option A (server-side): Exclude RFC 2606 domains from urlStrings detection in the analysis engine. This would prevent false positives for any package that references these documentation-standard domains.

Option B (client-side): Add filtering in addArtifactToAlertsMap() to skip urlStrings alerts where all detected URLs are RFC 2606 reserved domains (would need alert.props structure documentation).

Option A is preferred as it fixes the root cause and benefits all Socket users.

Impact

This affects any package that legitimately references RFC 2606 domains — linters, documentation tools, URL validators, etc. Our package textlint-rule-rfc2606-domains has a Supply Chain Security score of 70 solely because of this false positive.

Happy to submit a PR if you can point me to the right place for either option.