javascript:S4784 Using regular expressions is security-sensitive should acknowledge literal characters

Sonar version 7.9.
I’m unaware of other versions in use as I dont have control over them.

Example code

const expr = /\*+/g;
inputStr.replace(expr, '*');

Expected behavior: the rule is not triggered because the asterisk is a literal character.

Current behavior: the rule is triggered because the * asterisk AND + both appear in the expression, raising the rule’s counter to the threshold of 2.