In one of my projects, I have URLs in TypeScript comments and the README for documentation purposes.

It seems like Socket is flagging one of these as a supply chain risk, even though it is not in the code itself: https://socket.dev/npm/package/@twocaretcat/astro-snapshot/alerts/2.2.0?alert_name=urlStrings. I can't tell whether it has a problem with README.md or types.ts but I'd assume it's the latter.

Is this intentional? If so, what is the risk here? Obviously, I don't want to remove links to external documentation just to appease Socket.