Cloudflare's Handling of an RCE Vulnerability in Cdnjs

Here’s the corresponding blog post from the researcher, describing how they discovered the vulnerability: <a href="https:&#x2F;&#x2F;blog.ryotak.me&#x2F;post&#x2F;cdnjs-remote-code-execution-en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.ryotak.me&#x2F;post&#x2F;cdnjs-remote-code-execution-en&#x2F;</a>

I thought Docker containers weren’t meant to be secure sandboxes, but more of a convenience? It seems they did additional work but perhaps the role of the docker container has changed over time?

The comment about U+2215 being treated as a path separator seems completely unfounded to me. All info I could find mention that the path separator is hardcoded as the ASCII slash. Is there a normalization layer in Go that would convert U+2215 into a ‘&#x2F;’?