@rezalabs/safe-regex2 6.0.0

package/.gitattributes

@@ -0,0 +1,2 @@
+# Set default behavior to automatically convert line endings
+* text=auto eol=lf

package/CHANGELOG.md

@@ -0,0 +1,31 @@
+# Changelog
+
+## 6.0.0 — 2026-05-18
+
+Maintained fork of [fastify/safe-regex2](https://github.com/fastify/safe-regex2). First release under `@rezalabs/safe-regex2`.
+
+### Breaking changes
+
+- **Dependency changed** — Uses `@rezalabs/ret` instead of `ret`. The parser is a drop-in replacement but the package name differs.
+
+- **New exports** — `analyze()` and `fix()` added alongside the existing default export. Code that iterates over `require('safe-regex2')` keys may see new properties.
+
+### New features
+
+- **Alternation-based ReDoS detection** — Alternatives inside a quantifier where one is a literal prefix of another (e.g., `(a|aa|aaa)+`) are now flagged as unsafe. Previously only nested repetition (star height > 1) was detected.
+
+- **`analyze(re)` export** — Returns a detailed risk assessment with severity level (`none`, `low`, `high`, `critical`), specific reasons, diagnostic metrics (star height, repetition count, alternation overlap), anchoring and static suffix detection, and an auto-fix suggestion if available.
+
+- **`fix(re)` export** — Attempts to produce a safe version of an unsafe regex by stripping redundant outer quantifiers or collapsing same-character alternatives. Every fix is verified safe before being returned.
+
+- **Severity scoring** — `analyze()` assigns severity based on star height depth, alternation overlap, and repetition count. Patterns anchored with `^...$` or ending with a literal suffix have reduced severity.
+
+### Bug fixes
+
+- **`reconstruct()` max handling** — Fixed `reconstruct()` producing `{1,null}` instead of `+` by converting `null` max values to `Infinity` when building fixed AST nodes.
+
+### Meta
+
+- Package renamed to `@rezalabs/safe-regex2` (scoped) for npm publishing.
+- Repository updated to `github.com/rezalabs/safe-regex2`.
+- Original author and Fastify contributors credited in contributors section.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019-present The Fastify team <https://github.com/fastify/fastify#team>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,204 @@
+# safe-regex2
+
+[![CI](https://github.com/rezalabs/safe-regex2/actions/workflows/ci.yml/badge.svg)](https://github.com/rezalabs/safe-regex2/actions/workflows/ci.yml)
+[![NPM version](https://img.shields.io/npm/v/@rezalabs/safe-regex2.svg?style=flat)](https://www.npmjs.com/package/@rezalabs/safe-regex2)
+
+Detect, analyze, and automatically fix regular expressions vulnerable to
+catastrophic backtracking (ReDoS).
+
+This package is a fork of [fastify/safe-regex2](https://github.com/fastify/safe-regex2),
+which was itself a fork of the original `safe-regex` by James Halliday (substack).
+The original author's GitHub account is no longer available, but the code lives on.
+
+## What it does
+
+Three functions:
+
+| Function | Returns | Purpose |
+|----------|---------|---------|
+| `safeRegex(re)` | `boolean` | Quick check: is this regex safe or not? |
+| `analyze(re)` | `object` | Detailed risk assessment with severity scoring |
+| `fix(re)` | `object` | Attempt to produce a safe version of an unsafe regex |
+
+It detects two classes of ReDoS vulnerability:
+
+1. **Nested repetition** (star height > 1). Patterns like `(a+)+` or `(x+x+)+y`
+   where quantifiers are nested inside other quantifiers, creating exponential
+   backtracking paths.
+
+2. **Alternation prefix overlap**. Patterns like `(a|aa|aaa)+` where alternatives
+   inside a quantifier share a literal prefix, allowing the engine to partition
+   the same input in exponentially many ways.
+
+## Install
+
+```sh
+npm install @rezalabs/safe-regex2
+```
+
+## Quick check
+
+```js
+const safe = require('@rezalabs/safe-regex2')
+
+safe('(beep|boop)*')  // true
+safe('(a+)+')         // false
+safe('(a|aa|aaa)+')   // false
+```
+
+The input can be a `RegExp` object or a string. Invalid regex strings return `false`.
+
+## Analyze
+
+The `analyze()` function returns a detailed report instead of a boolean.
+
+```js
+const { analyze } = require('@rezalabs/safe-regex2')
+
+const result = analyze('(a+)+y')
+```
+
+Returns:
+
+```js
+{
+  safe: false,
+  severity: 'low',             // 'none' | 'low' | 'high' | 'critical'
+  reasons: [
+    'Nested repetition detected (star height 2)'
+  ],
+  starHeight: 2,
+  repCount: 2,
+  hasAlternationReDoS: false,
+  anchored: false,
+  hasStaticSuffix: true,        // the 'y' at the end reduces practical risk
+  fix: '(a+)y'                  // auto-generated safe version
+}
+```
+
+### Severity levels
+
+| Level | Meaning |
+|-------|---------|
+| `none` | No issues detected. The regex is safe. |
+| `low` | Minor issues or structural issues mitigated by anchoring or a static suffix. |
+| `high` | Nested repetition or alternation prefix overlap. Real ReDoS risk. |
+| `critical` | Deeply nested repetition (star height 3+). Extreme risk. |
+
+Mitigating factors lower severity by one level. If a pattern is anchored
+(`^...$`) or ends with a literal character suffix, the practical risk of
+catastrophic backtracking is reduced because the engine's backtracking is
+constrained.
+
+## Auto-fix
+
+The `fix()` function attempts to produce a safe version of an unsafe regex.
+
+```js
+const { fix } = require('@rezalabs/safe-regex2')
+
+fix('(a+)+y')
+// { safe: false, fixed: '(a+)y', original: '(a+)+y' }
+
+fix('(a|aa|aaa)+')
+// { safe: false, fixed: 'a+', original: '(a|aa|aaa)+' }
+
+fix('^[a-z]+$')
+// { safe: true, fixed: null, original: '^[a-z]+$' }
+```
+
+Current fix strategies:
+
+- **Strip redundant outer quantifiers.** `(a+)+y` becomes `(a+)y`. The inner
+  quantifier already provides the repetition; the outer one only creates
+  backtracking paths.
+
+- **Collapse same-character alternatives.** `(a|aa|aaa)+` becomes `a+`. When
+  all alternatives are sequences of the same character, a single quantifier
+  covers all of them.
+
+Every suggested fix is verified to be safe before being returned. If no safe
+fix can be generated, `fixed` is `null`.
+
+Note: auto-fix preserves matching behavior but may change capture group
+semantics. Verify the fix against your intended behavior.
+
+## CLI
+
+```sh
+npx @rezalabs/safe-regex2 '(x+x+)+y'
+```
+
+## Options
+
+Both `safeRegex()`, `analyze()`, and `fix()` accept an optional `limit` parameter:
+
+```js
+safe(pattern, { limit: 50 })
+analyze(pattern, { limit: 50 })
+fix(pattern, { limit: 50 })
+```
+
+`limit` controls the maximum number of repetitions allowed across the entire
+regex. Default is `25`. Patterns exceeding this limit are flagged.
+
+## API
+
+```js
+const safe = require('@rezalabs/safe-regex2')
+```
+
+### `safe(re, opts?)` -> `boolean`
+
+Returns `true` if the regex is safe, `false` if it is potentially catastrophic
+or syntactically invalid.
+
+### `safe.analyze(re, opts?)` -> `object`
+
+Returns a detailed risk assessment. See the Analyze section above.
+
+### `safe.fix(re, opts?)` -> `object`
+
+Returns `{ safe, fixed, original }`. See the Auto-fix section above.
+
+## How it works
+
+The regex pattern is parsed into an AST using `@rezalabs/ret`. The walker then
+traverses the tree and checks:
+
+1. **Star height.** Each `REPETITION` node increments the star height counter.
+   When it exceeds 1, the regex has nested quantifiers and exponential
+   backtracking paths.
+
+2. **Repetition count.** The total number of `REPETITION` nodes is compared
+   against the limit. Too many quantifiers in one pattern is a risk indicator.
+
+3. **Alternation overlap.** For each quantifier containing alternatives,
+   the literal prefixes of each alternative are compared. If one prefix is
+   a prefix of another, the engine can partition matching input in
+   combinatorially many ways.
+
+## Limitations
+
+This is a heuristic analyzer, not a formal verification tool. It has both
+false positives (flagging safe patterns) and false negatives (missing unsafe
+ones). Known gaps:
+
+- Alternation overlap is only detected for literal character prefixes.
+  Patterns like `(\\d|\\w)+` where character classes overlap are not caught.
+- The auto-fix cannot safely rewrite general alternation overlap like
+  `(ab|abc)+`. Such patterns require a non-regex parser.
+- Some patterns with star height 2 are flagged but are actually safe in
+  practice due to their structure.
+
+## Credits
+
+- **James Halliday** (substack) wrote the original `safe-regex` package.
+- The **Fastify** team maintained it as `safe-regex2` with TypeScript types,
+  modern tooling, and updated dependencies.
+- **RezaLabs** added alternation-based detection, risk analysis, auto-fix,
+  and continues maintenance.
+
+## License
+
+[MIT](./LICENSE)

package/bin/safe-regex2.js

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+'use strict'
+
+const { parseArgs } = require('node:util')
+const { safeRegex } = require('../index.js')
+
+const { version } = require('../package.json')
+
+const { values: options, positionals } = parseArgs({
+  allowPositionals: true,
+  options: {
+    version: {
+      type: 'boolean',
+      short: 'v',
+      default: false,
+    },
+    help: {
+      type: 'boolean',
+      short: 'h',
+      default: false,
+    }
+  },
+})
+
+function help () {
+  console.log(`Usage: safe-regex2 [options] <regex>
+
+Check if a regular expression is safe to use in a production environment.
+
+Options:
+  -v, --version          Display the version number
+  -h, --help             Display this help message
+  <regex>                The regular expression to check`
+  )
+}
+
+if (options.help) {
+  help()
+} else if (options.version) {
+  console.log(version)
+} else {
+  if (positionals.length === 0) {
+    help()
+  } else if (positionals.length > 1) {
+    console.error('Error: Too many positional arguments.')
+    help()
+  } else {
+    const regex = positionals[0]
+    const isSafe = safeRegex(regex)
+    if (isSafe === false) {
+      console.error('Provided regex is invalid or unsafe.')
+      process.exit(1)
+    } else {
+      console.log('Provided regex is safe.')
+      process.exit(0)
+    }
+  }
+}

package/index.js

@@ -0,0 +1,663 @@
+'use strict'
+
+const parse = require('@rezalabs/ret')
+const { types } = require('@rezalabs/ret')
+const { reconstruct } = require('@rezalabs/ret')
+
+/**
+ * Extracts the leading literal character code points from a token stack.
+ * Stops at the first non-CHAR token (e.g., SET, GROUP, REPETITION).
+ * Used to compare literal prefixes between alternatives for ReDoS detection.
+ *
+ * @param {Array} stack - Array of AST tokens forming one alternative
+ * @returns {number[]} Array of character code points
+ */
+function getLiteralPrefix (stack) {
+  const chars = []
+  for (let i = 0; i < stack.length; i++) {
+    if (stack[i].type === types.CHAR) {
+      chars.push(stack[i].value)
+    } else {
+      break
+    }
+  }
+  return chars
+}
+
+/**
+ * Checks whether alternatives inside a quantifier have overlapping literal
+ * prefixes, which causes catastrophic backtracking.
+ *
+ * When one alternative is a prefix of another (e.g., `a` vs `aa` inside `+`),
+ * the regex engine can partition the same input in exponentially many ways.
+ * Example: `(a|aa|aaa)+` on a string of `a`s — 2^(n-1) paths.
+ *
+ * @param {Array} options - Array of alternative token stacks
+ * @returns {boolean} true if any pair has a prefix-overlap problem
+ */
+function hasAlternationReDoS (options) {
+  if (!Array.isArray(options) || options.length < 2) return false
+
+  const prefixes = options.map(function (opt) {
+    return getLiteralPrefix(opt)
+  }).filter(function (p) {
+    return p.length > 0
+  })
+
+  // Need at least two alternatives with literal prefixes to have overlap
+  if (prefixes.length < 2) return false
+
+  for (let i = 0; i < prefixes.length; i++) {
+    for (let j = i + 1; j < prefixes.length; j++) {
+      const a = prefixes[i]
+      const b = prefixes[j]
+
+      // Check if one is a prefix of the other (shorter is prefix of longer)
+      const shorter = a.length <= b.length ? a : b
+      const longer = a.length <= b.length ? b : a
+
+      let prefixMatch = true
+      for (let k = 0; k < shorter.length; k++) {
+        if (shorter[k] !== longer[k]) {
+          prefixMatch = false
+          break
+        }
+      }
+
+      if (prefixMatch) return true
+    }
+  }
+
+  return false
+}
+
+/**
+ * Recursively searches a subtree for alternatives with overlapping literal
+ * prefixes. Used to detect alternation-based ReDoS that may be nested
+ * inside groups within a quantifier (e.g., `(?:(a|aa|aaa))+` where the
+ * alternatives are one level deeper than the REPETITION node).
+ *
+ * @param {*} node - AST node to search
+ * @returns {boolean} true if overlapping alternatives are found
+ */
+function findOverlappingAlternatives (node) {
+  if (!node || typeof node !== 'object') return false
+
+  // If this node has alternatives (options), check for prefix overlap
+  if (node.options && hasAlternationReDoS(node.options)) return true
+
+  // Recurse into linear children (stack)
+  if (node.stack) {
+    for (let i = 0; i < node.stack.length; i++) {
+      if (findOverlappingAlternatives(node.stack[i])) return true
+    }
+  }
+
+  // Recurse into value (REPETITION's inner node, or any other value child)
+  if (node.value) {
+    if (findOverlappingAlternatives(node.value)) return true
+  }
+
+  return false
+}
+
+/**
+ * Recursively traverses the parsed regex AST, tracking repetition nesting depth
+ * and detecting alternation-based catastrophic backtracking.
+ *
+ * Detects two classes of ReDoS vulnerability:
+ * 1. Nested repetition (star height > 1) — e.g., (a+)+, (x+x+)+y
+ * 2. Alternation prefix overlap — e.g., (a|aa|aaa)+, where one alternative
+ *    is a literal prefix of another, causing O(2^n) partitioning paths
+ *
+ * @param {*} node - Current node in the regex AST
+ * @param {object} opts - Accumulator and limit configuration
+ * @param {number} opts.reps - Count of repetition nodes visited so far in traversal
+ * @param {number} opts.limit - Maximum allowed repetitions across the entire regex
+ * @param {number} starHeight - Current nesting depth of repetition operators in the AST
+ * @returns {boolean} true if the regex subtree is safe, false if catastrophic
+ */
+function walk (node, opts, starHeight) {
+  let i
+  let ok
+  let len
+
+  if (node.type === types.REPETITION) {
+    starHeight++
+    opts.reps++
+
+    // Star height > 1 indicates nested repetition (e.g., (a+)+), which creates
+    // exponential backtracking paths — a hallmark of catastrophic regexes
+    if (starHeight > 1) return false
+    if (opts.reps > opts.limit) return false
+
+    // Check for alternation-based ReDoS: alternatives inside this quantifier
+    // where one literal prefix is a prefix of another (e.g., (a|aa|aaa)+)
+    // Recursively searches through the value subtree for nested alternatives
+    if (findOverlappingAlternatives(node.value)) return false
+  }
+
+  const options = node.options || node.value?.options
+  if (options) {
+    for (i = 0, len = options.length; i < len; i++) {
+      ok = walk({ stack: options[i] }, opts, starHeight)
+      if (!ok) return false
+    }
+  }
+  const stack = node.stack || node.value?.stack
+  if (!stack) return true
+
+  for (i = 0, len = stack.length; i < len; i++) {
+    ok = walk(stack[i], opts, starHeight)
+    if (!ok) return false
+  }
+
+  return true
+}
+
+/**
+ * Checks whether a regular expression is safe from catastrophic backtracking
+ * by parsing it and walking the AST for excessive repetition nesting.
+ *
+ * @param {string|RegExp} re - Regular expression to validate, as a string or RegExp instance
+ * @param {object} [options]
+ * @param {number} [options.limit=25] - Maximum number of repetitions allowed across the regex
+ * @returns {boolean} true if the regex is safe, false if catastrophic or invalid
+ */
+function safeRegex (re, options) {
+  const opts = {
+    reps: 0,
+    limit: options?.limit ?? 25
+  }
+
+  if (isRegExp(re)) re = re.source
+  else if (typeof re !== 'string') re = String(re)
+
+  try {
+    return walk(parse(re), opts, 0)
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Cross-realm-safe check for whether a value is a RegExp instance.
+ * Uses Object.prototype.toString instead of instanceof to work across
+ * different JavaScript realms (e.g., iframes, vm contexts).
+ *
+ * @param {*} x - Value to check
+ * @returns {x is RegExp} true if x is a RegExp object
+ */
+function isRegExp (x) {
+  return Object.prototype.toString.call(x) === '[object RegExp]'
+}
+
+// ── Auto-fix ────────────────────────────────────────────────────────
+
+/**
+ * Attempts to produce a safe version of an unsafe regex by modifying the
+ * parsed AST and reconstructing the pattern string.
+ *
+ * Current fix strategies:
+ * 1. Strip redundant outer quantifiers — (a+)+ → a+, (x+x+)+y → (x+x+)y
+ * 2. Replace overlapping alternatives with canonical covering — (a|aa|aaa)+ → a+
+ *
+ * @param {string|RegExp} re - Regular expression to fix
+ * @param {object} [options]
+ * @param {number} [options.limit=25] - Repetition limit (passed to walk)
+ * @returns {{ safe: boolean, fixed: string|null, original: string }}
+ *     Returns { safe: true, fixed: null } if already safe.
+ *     Returns { safe: false, fixed: '...' } with a suggested fix.
+ *     Returns { safe: false, fixed: null } if cannot auto-fix.
+ */
+function fixRegex (re, options) {
+  const limit = options?.limit ?? 25
+
+  let source
+  if (isRegExp(re)) source = re.source
+  else if (typeof re !== 'string') source = String(re)
+  else source = re
+
+  let ast
+  try {
+    ast = parse(source)
+  } catch {
+    return { safe: false, fixed: null, original: source }
+  }
+
+  // Check if already safe
+  if (walk(ast, { reps: 0, limit }, 0)) {
+    return { safe: true, fixed: null, original: source }
+  }
+
+  // Try to fix: clone the AST and apply transforms
+  const fixedAst = fixNode(ast, limit)
+  if (!fixedAst) {
+    return { safe: false, fixed: null, original: source }
+  }
+
+  let fixed
+  try {
+    fixed = reconstruct(fixedAst)
+  } catch {
+    return { safe: false, fixed: null, original: source }
+  }
+
+  // Verify the fix is actually safe
+  const stillUnsafe = !walk(parse(fixed), { reps: 0, limit }, 0)
+  if (stillUnsafe) {
+    return { safe: false, fixed: null, original: source }
+  }
+
+  return { safe: false, fixed, original: source }
+}
+
+/**
+ * Checks whether a node's subtree contains a REPETITION that would
+ * cause starHeight > maxDepth, indicating nested repetition ReDoS.
+ *
+ * @param {*} node - AST node to check
+ * @param {number} depth - Current star height depth
+ * @param {number} maxDepth - Maximum allowed star height (typically 1)
+ * @returns {boolean} true if any descendant exceeds maxDepth
+ */
+function hasDeepRepetition (node, depth, maxDepth) {
+  if (!node || typeof node !== 'object') return false
+
+  if (node.type === types.REPETITION) {
+    depth++
+    if (depth > maxDepth) return true
+  }
+
+  // Check options (alternatives)
+  const options = node.options || node.value?.options
+  if (options) {
+    for (let i = 0; i < options.length; i++) {
+      if (hasDeepRepetition({ stack: options[i] }, depth, maxDepth)) return true
+    }
+  }
+
+  // Check stack (linear children)
+  const stack = node.stack || node.value?.stack
+  if (stack) {
+    for (let i = 0; i < stack.length; i++) {
+      if (hasDeepRepetition(stack[i], depth, maxDepth)) return true
+    }
+  }
+
+  return false
+}
+
+/**
+ * Attempts to transform a (sub)tree to eliminate ReDoS vulnerabilities.
+ * Works top-down: if a REPETITION's descendants would exceed star height,
+ * the outer REPETITION is stripped instead of inner quantifiers.
+ *
+ * @param {*} node - AST node to fix
+ * @param {number} limit - Repetition limit
+ * @returns {*|null} Fixed node, or null if unfixable
+ */
+function fixNode (node, limit) {
+  if (!node || typeof node !== 'object') return node
+
+  if (node.type === types.REPETITION) {
+    // Strategy 1: Strip outer quantifier if descendants have nested repetition.
+    // Top-down check: if any descendant causes starHeight > 1, remove THIS
+    // quantifier rather than inner ones (which preserves semantics better).
+    if (hasDeepRepetition(node.value, 1, 1)) {
+      const inner = node.value
+      if (!inner) return null
+      // Return the inner value as-is. Inner quantifiers preserved.
+      return fixNode(inner, limit)
+    }
+
+    // Strategy 2: Fix alternation prefix overlap inside this quantifier
+    if (findOverlappingAlternatives(node.value)) {
+      return fixAlternationReDoS(node, limit)
+    }
+  }
+
+  // Recursively fix children (preserve current structure, just clean children)
+  const result = { ...node }
+
+  if (result.options) {
+    result.options = result.options.map(function (opt) {
+      return fixNode({ stack: opt }, limit)
+    }).map(function (n) {
+      return n.stack || []
+    })
+  }
+
+  if (result.stack) {
+    result.stack = result.stack.map(function (child) {
+      return fixNode(child, limit)
+    })
+  }
+
+  if (result.value) {
+    result.value = fixNode(result.value, limit)
+  }
+
+  return result
+}
+
+/**
+ * Finds the first GROUP node with alternatives (options) in a subtree.
+ * Used to locate overlapping alternatives nested inside other groups.
+ *
+ * @param {*} node - AST node to search
+ * @returns {{ group: object, options: Array }|null}
+ */
+function findGroupWithOptions (node) {
+  if (!node || typeof node !== 'object') return null
+  if (node.options && node.options.length >= 2) {
+    return { group: node, options: node.options }
+  }
+  const stack = node.stack || node.value?.stack
+  if (stack) {
+    for (let i = 0; i < stack.length; i++) {
+      const found = findGroupWithOptions(stack[i])
+      if (found) return found
+    }
+  }
+  return null
+}
+
+/**
+ * Fixes alternation-based ReDoS inside a quantifier by replacing
+ * overlapping alternatives with a canonical covering pattern.
+ *
+ * For (a|aa|aaa)+ — all alternatives are sequences of the same char,
+ * so the fix is just char+ (e.g., a+).
+ *
+ * @param {*} repNode - The REPETITION node containing alternation
+ * @param {number} limit - Repetition limit
+ * @returns {*|null} Fixed AST node, or null if unfixable
+ */
+function fixAlternationReDoS (repNode, limit) {
+  const found = findGroupWithOptions(repNode.value)
+  if (!found) return null
+
+  const { options } = found
+
+  // Collect all literal chars from all alternatives
+  let allSameChar = true
+  let firstChar = null
+
+  for (let i = 0; i < options.length; i++) {
+    const opt = options[i]
+    const prefix = getLiteralPrefix(opt)
+    if (prefix.length === 0) {
+      allSameChar = false
+      break
+    }
+    for (let j = 0; j < prefix.length; j++) {
+      if (firstChar === null) firstChar = prefix[j]
+      if (prefix[j] !== firstChar) allSameChar = false
+    }
+  }
+
+  // If all alternatives are sequences of the same character, replace with char+
+  if (allSameChar && firstChar !== null) {
+    const newRep = {
+      type: types.REPETITION,
+      min: repNode.min,
+      max: repNode.max === null ? Infinity : repNode.max,
+      value: { type: types.CHAR, value: firstChar }
+    }
+    return newRep
+  }
+
+  // General prefix overlap (e.g., ab|abc) cannot be safely rewritten as a
+  // regex. Optional groups like (?:ab(?:c)?)+ still create the same
+  // exponential partitioning paths. These patterns require a non-regex
+  // parser or a fundamentally different approach.
+  return null
+}
+
+/**
+ * Checks whether a pattern's AST ends with one or more literal characters,
+ * possibly preceded by anchor positions ($). A static suffix constrains
+ * backtracking because the engine must match those exact characters at the end.
+ *
+ * E.g., `(a+)+y` has static suffix 'y'; `(a+)+y$` also has suffix 'y'.
+ *
+ * @param {*} node - Root AST node
+ * @returns {boolean}
+ */
+function detectStaticSuffix (node) {
+  const stack = node.stack || node.value?.stack
+  if (!stack || stack.length === 0) return false
+
+  // Walk backwards from the end, skipping anchor positions
+  for (let i = stack.length - 1; i >= 0; i--) {
+    const child = stack[i]
+    if (child.type === types.POSITION) continue // skip $ ^ \b \B
+    if (child.type === types.CHAR || child.type === types.SET) return true
+    break
+  }
+  return false
+}
+
+/**
+ * Checks whether a pattern is anchored (starts with ^ and ends with $).
+ *
+ * @param {*} node - Root AST node
+ * @returns {boolean}
+ */
+function detectAnchored (node) {
+  const stack = node.stack || node.value?.stack
+  if (!stack || stack.length === 0) return false
+
+  let start = false
+  let end = false
+
+  if (stack[0].type === types.POSITION && stack[0].value === '^') start = true
+  const last = stack[stack.length - 1]
+  if (last.type === types.POSITION && last.value === '$') end = true
+
+  return start && end
+}
+
+// ── Analyze / risk scoring ───────────────────────────────────────────
+
+/**
+ * Maps diagnostic data to a severity level.
+ *
+ * Severity levels:
+ * - none:     No issues detected
+ * - low:      Minor issues (e.g., many repetitions but no nesting)
+ * - high:     Significant risk (nested repetition or alternation overlap)
+ * - critical: Extreme risk (deeply nested repetition, multiple factors)
+ *
+ * Mitigating factors (anchoring, static suffix) reduce severity by one level.
+ *
+ * @param {object} info - Diagnostic information from walkAnalyze
+ * @returns {string} Severity level
+ */
+function assessSeverity (info) {
+  const { starHeight, repCount, limit, hasAlternation, anchored, hasStaticSuffix } = info
+
+  let severity = 'none'
+  let canMitigate = false
+
+  // Determine base severity from issues found
+  if (starHeight >= 3) {
+    severity = 'critical'
+  } else if (starHeight >= 2) {
+    severity = 'high'
+    canMitigate = true
+  } else if (hasAlternation) {
+    severity = 'high'
+    canMitigate = true
+  } else if (repCount > limit * 2) {
+    severity = 'high'
+  } else if (repCount > limit) {
+    severity = 'low'
+  }
+
+  // Mitigating factors (anchoring, static suffix) only reduce severity
+  // for structural ReDoS (nested rep, alternation), not rep-count issues
+  if (canMitigate && severity !== 'critical') {
+    const mitigations = (anchored ? 1 : 0) + (hasStaticSuffix ? 1 : 0)
+    if (mitigations >= 1) {
+      if (severity === 'high') severity = 'low'
+    }
+  }
+
+  return severity
+}
+
+/**
+ * Walks the AST collecting diagnostics for severity assessment.
+ * Unlike walk() which short-circuits on first problem, this function
+ * continues traversal to collect full diagnostic data.
+ *
+ * @param {*} node - Current AST node
+ * @param {object} info - Diagnostic accumulator
+ * @param {number} info.starHeight - Current repetition nesting depth
+ * @param {number} info.maxStarHeight - Maximum star height seen
+ * @param {number} info.repCount - Total repetition count
+ * @param {number} info.limit - Repetition limit
+ */
+function walkAnalyze (node, info) {
+  if (!node || typeof node !== 'object') return
+
+  if (node.type === types.REPETITION) {
+    info.starHeight++
+    if (info.starHeight > info.maxStarHeight) {
+      info.maxStarHeight = info.starHeight
+    }
+    info.repCount++
+    walkAnalyze(node.value, info)
+    info.starHeight--
+    return
+  }
+
+  // Check options (alternatives)
+  const options = node.options || node.value?.options
+  if (options) {
+    for (let i = 0; i < options.length; i++) {
+      walkAnalyze({ stack: options[i] }, info)
+    }
+  }
+
+  // Check stack (linear children)
+  const stack = node.stack || node.value?.stack
+  if (stack) {
+    for (let i = 0; i < stack.length; i++) {
+      walkAnalyze(stack[i], info)
+    }
+  }
+}
+
+/**
+ * Analyzes a regular expression and returns a detailed risk assessment
+ * including severity level, diagnostic data, and suggested fix.
+ *
+ * @param {string|RegExp} re - Regular expression to analyze
+ * @param {object} [options]
+ * @param {number} [options.limit=25] - Maximum repetitions allowed
+ * @returns {{
+ *   safe: boolean,
+ *   severity: string,
+ *   reasons: string[],
+ *   starHeight: number,
+ *   repCount: number,
+ *   hasAlternationReDoS: boolean,
+ *   anchored: boolean,
+ *   hasStaticSuffix: boolean,
+ *   fix: string|null
+ * }}
+ */
+function analyze (re, options) {
+  const limit = options?.limit ?? 25
+
+  let source
+  if (isRegExp(re)) source = re.source
+  else if (typeof re !== 'string') source = String(re)
+  else source = re
+
+  let ast
+  try {
+    ast = parse(source)
+  } catch (err) {
+    return {
+      safe: false,
+      severity: 'high',
+      reasons: ['Invalid regex syntax: ' + err.message],
+      starHeight: 0,
+      repCount: 0,
+      hasAlternationReDoS: false,
+      anchored: false,
+      hasStaticSuffix: false,
+      fix: null
+    }
+  }
+
+  // Collect diagnostics
+  const info = {
+    starHeight: 0,
+    maxStarHeight: 0,
+    repCount: 0,
+    limit
+  }
+
+  walkAnalyze(ast, info)
+
+  // Check alternation ReDoS separately (uses existing functions)
+  const hasAlternation = findOverlappingAlternatives(ast)
+
+  // Check anchoring and suffix directly on the AST
+  const anchored = detectAnchored(ast)
+  const hasStaticSuffix = detectStaticSuffix(ast)
+
+  // Build severity
+  const severity = assessSeverity({
+    starHeight: info.maxStarHeight,
+    repCount: info.repCount,
+    limit,
+    hasAlternation,
+    anchored,
+    hasStaticSuffix
+  })
+
+  // Build reasons
+  const reasons = []
+  if (info.maxStarHeight >= 2) {
+    reasons.push('Nested repetition detected (star height ' + info.maxStarHeight + ')')
+  }
+  if (hasAlternation) {
+    reasons.push('Alternatives with overlapping prefixes inside quantifier')
+  }
+  if (info.repCount > limit) {
+    reasons.push('Exceeded repetition limit: ' + info.repCount + ' > ' + limit)
+  }
+
+  const safe = severity === 'none'
+
+  // Try to fix if unsafe
+  let fix = null
+  if (!safe) {
+    const fixResult = fixRegex(source, { limit })
+    if (fixResult.fixed) fix = fixResult.fixed
+  }
+
+  return {
+    safe,
+    severity,
+    reasons,
+    starHeight: info.maxStarHeight,
+    repCount: info.repCount,
+    hasAlternationReDoS: hasAlternation,
+    anchored,
+    hasStaticSuffix,
+    fix
+  }
+}
+
+module.exports = safeRegex
+module.exports.default = safeRegex
+module.exports.safeRegex = safeRegex
+module.exports.fix = fixRegex
+module.exports.analyze = analyze

package/package.json

@@ -0,0 +1,91 @@
+{
+  "name": "@rezalabs/safe-regex2",
+  "version": "6.0.0",
+  "description": "Detect and fix catastrophic backtracking (ReDoS) in regular expressions with severity scoring and auto-fix",
+  "main": "index.js",
+  "type": "commonjs",
+  "types": "types/index.d.ts",
+  "publishConfig": {
+    "access": "public"
+  },
+  "bin": {
+    "safe-regex2": "bin/safe-regex2.js"
+  },
+  "dependencies": {
+    "@rezalabs/ret": "^1.0.0"
+  },
+  "devDependencies": {
+    "c8": "^11.0.0",
+    "eslint": "^9.17.0",
+    "neostandard": "^0.13.0",
+    "tstyche": "^7.0.0"
+  },
+  "scripts": {
+    "lint": "eslint",
+    "lint:fix": "eslint --fix",
+    "test": "npm run test:unit && npm run test:typescript",
+    "test:typescript": "tstyche",
+    "test:unit": "c8 --100 node --test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/rezalabs/safe-regex2.git"
+  },
+  "bugs": {
+    "url": "https://github.com/rezalabs/safe-regex2/issues"
+  },
+  "homepage": "https://github.com/rezalabs/safe-regex2",
+  "funding": [
+    {
+      "type": "github",
+      "url": "https://github.com/sponsors/rezalabs"
+    },
+    {
+      "type": "opencollective",
+      "url": "https://opencollective.com/fastify"
+    }
+  ],
+  "keywords": [
+    "catastrophic",
+    "exponential",
+    "regex",
+    "regexp",
+    "redos",
+    "safe",
+    "security",
+    "backtracking",
+    "star-height",
+    "auto-fix",
+    "lint"
+  ],
+  "author": "RezaLabs",
+  "contributors": [
+    {
+      "name": "James Halliday",
+      "comment": "Original safe-regex package"
+    },
+    {
+      "name": "Matteo Collina",
+      "email": "hello@matteocollina.com",
+      "comment": "safe-regex2 fork maintainer (fastify)"
+    },
+    {
+      "name": "Gürgün Dayıoğlu",
+      "email": "hey@gurgun.day",
+      "url": "https://heyhey.to/G"
+    },
+    {
+      "name": "James Sumners",
+      "url": "https://james.sumners.info"
+    },
+    {
+      "name": "Frazer Smith",
+      "email": "frazer.dev@icloud.com",
+      "url": "https://github.com/fdawgs"
+    }
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=14"
+  }
+}

package/types/index.d.ts

@@ -0,0 +1,30 @@
+type SafeRegexOptions = { limit?: number }
+
+type FixResult = {
+  safe: boolean
+  fixed: string | null
+  original: string
+}
+
+type AnalyzeResult = {
+  safe: boolean
+  severity: 'none' | 'low' | 'high' | 'critical'
+  reasons: string[]
+  starHeight: number
+  repCount: number
+  hasAlternationReDoS: boolean
+  anchored: boolean
+  hasStaticSuffix: boolean
+  fix: string | null
+}
+
+type SafeFn = {
+  (re: string | RegExp, opts?: SafeRegexOptions): boolean
+  safeRegex: SafeFn
+  fix: (re: string | RegExp, opts?: SafeRegexOptions) => FixResult
+  analyze: (re: string | RegExp, opts?: SafeRegexOptions) => AnalyzeResult
+  default: SafeFn
+}
+
+declare const _: SafeFn
+export = _