@ericcornelissen/lregexp 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/LICENSE +1 -1
  2. package/README.md +67 -13
  3. package/SECURITY.md +9 -0
  4. package/package.json +2 -2
package/LICENSE CHANGED
@@ -1,6 +1,6 @@
1
1
  MIT License
2
2
 
3
- Copyright (c) 2025 Eric Cornelissen
3
+ Copyright (c) 2025-2026 Eric Cornelissen
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
6
6
  of this software and associated documentation files (the "Software"), to deal
package/README.md CHANGED
@@ -1,21 +1,33 @@
1
1
  # lRegExp
2
2
 
3
- Transparently create linear-time ([non-backtracking]) regular expressions.
3
+ Transparent linear-time ([non-backtracking]) regular expressions for libraries.
4
4
 
5
5
  [non-backtracking]: https://v8.dev/blog/non-backtracking-regexp
6
6
 
7
7
  ## Usage
8
8
 
9
- This library exports a drop-in replacement for the built-in RegExp.
9
+ This library exports a drop-in replacement for the built-in RegExp ([caveats]
10
+ apply).
10
11
 
11
- ```shell
12
- npm install @ericcornelissen/lregexp
13
- ```
12
+ 1. Install
14
13
 
15
- ```javascript
16
- import RegExp from "@ericcornelissen/lregexp";
17
- new RegExp("[linear]{6}");
18
- ```
14
+ ```shell
15
+ npm install @ericcornelissen/lregexp
16
+ ```
17
+
18
+ 2. Import
19
+
20
+ ```javascript
21
+ import RegExp from "@ericcornelissen/lregexp";
22
+ ```
23
+
24
+ 3. Use
25
+
26
+ ```javascript
27
+ new RegExp("[linear]{6}");
28
+ ```
29
+
30
+ [caveats]: #caveats
19
31
 
20
32
  ## Why
21
33
 
@@ -23,9 +35,51 @@ Backtracking regular expressions can take exponential time to evaluate, leading
23
35
  to the dreaded _ReDoS_ vulnerability. Linear-time regular expressions avoid this
24
36
  by not backtracking.
25
37
 
38
+ In Node.js, linear-time regular expressions can be created using the `l` flag
39
+ provided the `--enable-experimental-regexp-engine` CLI option is used. This
40
+ makes it difficult for library authors to tap into. Using this package, a
41
+ library can use the RegExp constructor as usual and benefit from the linear time
42
+ regular expression engine when its users enable it. If they don't, it gracefully
43
+ falls back to the default constructor.
44
+
26
45
  ## Caveats
27
46
 
28
- Not all regular expression constructs are valid in a linear-time regular
29
- expression and this library won't tell you your regular expression is
30
- incompatible unless you run it with the non-backtracking engine, in which
31
- case it throws an error.
47
+ Not all valid JavaScript regular expressions are supported when using the
48
+ `--enable-experimental-regexp-engine` CLI option. This library won't tell you if
49
+ your regular expressions are incompatible, unless you run it with that CLI
50
+ option. If a regular expression is incompatible the constructor will throw a
51
+ SyntaxError.
52
+
53
+ To support users of this package in writing compatible regular expressions we're
54
+ interested in:
55
+
56
+ - an ESLint plugin to lint regular expressions and raise warnings for the use of
57
+ regex features not supported by the non-backtracing engine; ([#4])
58
+ - a tool (CLI/web) to check a given regular expression for compatibility with
59
+ the non-backtracing engine. ([#21])
60
+
61
+ [#4]: https://github.com/ericcornelissen/lregexp/issues/4
62
+ [#21]: https://github.com/ericcornelissen/lregexp/issues/21
63
+
64
+ ## How
65
+
66
+ If `--enable-experimental-regexp-engine` is used, the RegExp constructor from
67
+ this package automatically adds the `l` flag to all regular expressions it
68
+ constructs. If not, the RegExp constructor behavior is unchanged.
69
+
70
+ ## Example
71
+
72
+ A classic example of a ReDoS-vulnerable regular expression is `(a*)*b`. Using
73
+ this with vanilla Node.js on a pathological input string takes some time, test
74
+ it for yourself with (add an `a` and the runtime doubles):
75
+
76
+ ```shell
77
+ node -e '/(a*)*b/.test("aaaaaaaaaaaaaaaaaaaaaaaaac")'
78
+ ```
79
+
80
+ When the non-backtracking regular expression engine is enabled, the expression
81
+ evaluates instantly:
82
+
83
+ ```shell
84
+ node -e '/(a*)*b/l.test("aaaaaaaaaaaaaaaaaaaaaaaaac")' --enable-experimental-regexp-engine
85
+ ```
package/SECURITY.md ADDED
@@ -0,0 +1,9 @@
1
+ # Security Policy
2
+
3
+ All security issues in `@ericcornelissen/lregexp` should be reported publicly as
4
+ bugs. Private reports will be made public by the maintainers after 7 days with
5
+ best-effort attribution.
6
+
7
+ This document should be considered expired after 2026-06-01. If you are reading
8
+ this after that date you should try to find an up-to-date version in the source
9
+ repository.
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@ericcornelissen/lregexp",
3
- "description": "Transparently create linear-time regular expressions",
4
- "version": "1.0.5",
3
+ "description": "Transparent linear-time (non-backtracking) regular expressions for libraries",
4
+ "version": "1.0.6",
5
5
  "license": "MIT",
6
6
  "type": "module",
7
7
  "exports": {