False positive with URL in package.swift dependencies

On a Swift project, SonarCloud reports a violation of S1075, “URIs should not be hardcoded” in the dependencies of a project.

Given that the Swift Package Manager (SPM) defines dependencies by “a relative or absolute URL to the source of the package”, it seems that URLs in package dependencies should not trigger this rule.

Minimal example of triggering code:

// swift-tools-version:5.3

import PackageDescription

let package = Package(
    name: "WMATAUI",
    dependencies: [
        .package(name: "WMATA", url: "https://github.com/emma-k-alexandra/WMATA.swift", from: "8.4.0")