CodeQL finds an "overly permissive regular expression range" in your code, in parse-push.ts:37, more specifically, the subexpression [*-=], which matches the following characters: *+,-./0123456789:;<= (which happens to also include -). I think the expression should have been [=*-], right?