CodeQL raises js/remote-property-injection finding

[MiikaKarkkainen]

Describe the bug

CodeQL javascript-security-extended-qls finds js/remote-property-injection vulnerability.

To Reproduce

Prerequisites:
Have CodeQL installed, ensure that queries are at least on version 2.1.2.
Have a way to view SARIF content, e.g. Visual Studio Code's SARIF extension.

Steps:

• Create CodeQL database from dist folder content: codeql database create ./codeql-db --language=javascript --overwrite
• Run javascript-security-extended suite: codeql database analyze ./codeql-db codeql/javascript-queries:codeql-suites/javascript-security-extended.qls --format=sarifv2.1.0 --output=codeql-results.sarif
• Examine codeql-results.sarif, it contains the mentioned vulnerability.

Expected behavior

CodeQL doesn't raise any findings.

Setup details

The scanned version of url-parse was 1.5.10.