spamscanner / url-regex-safe

Regular expression matching for URL's. Maintained, safe, and browser-friendly version of url-regex. Resolves CVE-2020-7661 for Node.js servers.

Home Page:https://forwardemail.net/docs/url-regex-javascript-node-js

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Add option to not use `re2` even if it's in the dependency tree

sindresorhus opened this issue · comments

Describe the feature

I want to use this package, but I never want to use the re2 package. However, the re2 package may be in node_modules even if I don't depend on it. So whether it's used, is out of my control.

I have my own way of ensuring safety, and re2 is problematic, as the regex it returns is not a proper RegExp instance.

It would be useful with an option to force using normal RegExp.

Checklist

  • I have searched through GitHub issues for similar issues.
  • I have completely read through the README and documentation.

Will fix today, thanks for the suggestion

Hi @sindresorhus - apologies for the delay. We decided to do this in a way that wouldn't even require the package re2 if the user supplied the option re2: false, as opposed to doing an approach like this at top level root scope:

const SafeRegExp = (() => {
  try {
    const RE2 = require('re2');
    return typeof RE2 === 'function' ? RE2 : RegExp;
  } catch {
    return RegExp;
  }
})();

Now instead this logic is conditionally loaded inside invocation, and if users want re2 and it's already loaded, it won't re-require it twice. This should be a much more performant solution (in terms of saving memory as well and not loading an extra library that you don't want in the first place, e.g. as you mentioned if it's already in node_modules but you don't want to use it).

We are wrapping up this implementation now and will publish a version shortly and ping you back!

v4.0.0 released with this, thank you @sindresorhus – simply pass re2: false

release notes @ https://github.com/spamscanner/url-regex-safe/releases/tag/v4.0.0

note: this version now requires node v14+