James C. (Jamie) Davis

> move safe-regex to a GitHub org? If so, I have several other lightweight analyses that I can contribute to `safe-regex`. - They are in pure JS and can run...

> We should discuss if scanning using some of these tools is something we should suggest as best practice when putting together a module. These tools could also be incorporated...

@zeke > cc substack would you be willing to move safe-regex to a GitHub org? I now have publish rights to safe-regex.

@mikesamuel Yes, that should work. In many projects I think regexes are statically declared and easy to get at, but this idea would be helpful in projects that use dynamically-generated...

1. I have only studied common dependencies (i.e. npm modules). Applications are hard to come by. If you happen to have a large set of applications I'd love to chat....

@jonschlinkert wrote in #2 [here](https://github.com/jonschlinkert/to-regex/pull/2#issuecomment-429609288): > edit: out of curiosity, what is your overall opinion about how star height is calculated by safe-regex? Last time I reviewed ret, the library...

1. I'm having some trouble understanding the use case (beyond a matter of principle: "The OS offers execve, so does [Python](https://docs.python.org/2/library/os.html#process-management), why doesn't Node.js?"). > I would like a means...

Here is a somewhat more minimal example I have independently identified. | Input | `/(a)\d*\.?\d+\b/` | `/a\d*\.?\d+\b/` | |--|-------------------|----------------| | `a0.0c` | Matches substring `a0.0` | Matches substring `a0` |...

@ziishaned I can prepare a PR with a small section about backtracking if you would be interested. Let me know.

@hoangnam2261 To avoid the backtracking, you need to give the regex engine clear boundary points that it won't backtrack past. For example, this regex is vulnerable: `(a+)+$`, but this one...