Security finding for JQuery 3.6.0 version

[blueberry80]

Hi everyone,
Need your help regarding this issue. My codes that have jQuery 3.6.0.js are being scanned by Semgrep and came back with the following findings. Can I check whether are all of these false findings ? If no, how do I resolve it?

1) Improper Control of Generation of Code ('Code Injection')
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.

`jQuery.propFix[this.toLowerCase()] = this;`
while ((elem = results[i++])) {

2) Incorrect Regular Expression
RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.

   (pattern = new RegExp("(^|" + whitespace +
                            ")" + className + "(" + whitespace + "|$)")) && classCache(

3. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
   A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system

                    xhr.open(
                        options.type,
                        options.url,
                        options.async,
                        options.username,
                        options.password
                    );

[gibson042]

Those all look like false findings to me. Direct inspection of https://code.jquery.com/jquery-3.6.0.js shows that jQuery.propFix[ this.toLowerCase() ] and elem = results[ i++ ] are in fact applying only to controlled input, that the className in finding 2 is constrained to match new RegExp( "^\\.(" + identifier + ")" ) unless matchExpr (jQuery.expr.match) has been modified, and that xhr.open is not an "fs" call (although guarding against "file:///" URLs is important).