Safe-regex is a valuable npm package for developers concerned about regular expression denial-of-service (ReDoS) vulnerabilities. It analyzes regular expressions to detect patterns that could potentially lead to catastrophic backtracking and exponential execution time, helping developers avoid performance bottlenecks and security risks in their applications. The package is lightweight and easy to integrate, adding an extra layer of defense against malicious or poorly written regular expressions.
Comparing versions 2.0.0 and 2.0.1, the core functionality remains consistent, focusing on detecting potentially problematic regex patterns. Both versions rely on regexp-tree (version ~0.0.85) for regular expression parsing and analysis, and use tape (version ^3.5.0) for development-time testing. The key improvements between the two versions relate to internal optimizations and bug fixes, impacting how the analysis is performed, hence version 2.0.1 offers a slightly larger unpacked size (6466 bytes compared to 6297 bytes in version 2.0.0), suggesting code refinements and enhancements. Released a week apart (October 26th and November 2nd, 2018), the newer version reflects a quick iterative improvement.
For developers, upgrading to version 2.0.1 is recommended due to the potential for enhanced accuracy in detecting ReDoS vulnerabilities and improved stability. While the API remains unchanged, the underlying analysis engine may have been refined to catch more edge cases or provide fewer false positives. Always prioritize using the latest, thoroughly tested version to ensure the most robust protection against ReDoS attacks in your projects.
All the vulnerabilities related to the version 2.0.1 of the package
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
