Thank you for the suggestions for rule S5148. Let me give you an answer per case:
Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):
We already try to exclude relative URLs from S5148 (for example, hrefs that start with a /.) But it looks like URLs starting with # were not considered yet. I’ve created a ticket internally so we can fix this.
Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):
I created an internal ticket so we can research this suggestion. For now, rule S5148 does not have framework-specific exclusions. I think it should be feasible to add this as an exclusion to .cshtml files specifically.
That “now” implies a relatively recent (2019 / 2020 / 2021) time period.
Evergreen browsers are of course covered, but the ability to fully skip noopener depends on what browsers developers need to support (see compatibility table on Can I Use).
It might be sensible to remove this rule from the standard Sonar profile, however.