James C. (Jamie) Davis
James C. (Jamie) Davis
> move safe-regex to a GitHub org? If so, I have several other lightweight analyses that I can contribute to `safe-regex`. - They are in pure JS and can run...
> We should discuss if scanning using some of these tools is something we should suggest as best practice when putting together a module. These tools could also be incorporated...
@zeke > cc substack would you be willing to move safe-regex to a GitHub org? I now have publish rights to safe-regex.
@mikesamuel Yes, that should work. In many projects I think regexes are statically declared and easy to get at, but this idea would be helpful in projects that use dynamically-generated...
1. I have only studied common dependencies (i.e. npm modules). Applications are hard to come by. If you happen to have a large set of applications I'd love to chat....
@jonschlinkert wrote in #2 [here](https://github.com/jonschlinkert/to-regex/pull/2#issuecomment-429609288): > edit: out of curiosity, what is your overall opinion about how star height is calculated by safe-regex? Last time I reviewed ret, the library...
1. I'm having some trouble understanding the use case (beyond a matter of principle: "The OS offers execve, so does [Python](https://docs.python.org/2/library/os.html#process-management), why doesn't Node.js?"). > I would like a means...
Here is a somewhat more minimal example I have independently identified. | Input | `/(a)\d*\.?\d+\b/` | `/a\d*\.?\d+\b/` | |--|-------------------|----------------| | `a0.0c` | Matches substring `a0.0` | Matches substring `a0` |...
@ziishaned I can prepare a PR with a small section about backtracking if you would be interested. Let me know.
@hoangnam2261 To avoid the backtracking, you need to give the regex engine clear boundary points that it won't backtrack past. For example, this regex is vulnerable: `(a+)+$`, but this one...