Lightweight package to detect unsafe regex patterns and prevent ReDoS.
Resafe is a mathematical ReDoS detection engine that uses Thompson NFA construction, epsilon transition elimination, and spectral radius analysis to detect exponential backtracking vulnerabilities. By analyzing the automaton's adjacency matrix eigenvalues, Resafe determines if a regex has exponential growth patterns without executing test strings.
- Pure Mathematical Analysis: Thompson NFA construction with spectral radius computation
- Deterministic Detection: Analyzes automaton structure, not pattern matching heuristics
- Spectral Radius: Detects exponential growth when eigenvalue > 1.0
- Fast Analysis: Average analysis time <1ms per pattern
# Using Bun
bun add resafe |
# Using NPM
npm install resafe |
# Using Yarn
yarn add resafe |
Simple pattern check |
import { check } from "resafe";
check(/([a-zA-Z0-9]+)*$/); |
Production-safe pattern validation |
import { check } from "resafe";
const safeRegex = check("^[0-9]+$", {
throwErr: true,
silent: true
}); |
Custom threshold configuration |
import { check } from "resafe";
check("a+a+", {
threshold: 1.5
}); |
Regular expressions are powerful but can be a security bottleneck. A single poorly crafted regex can freeze a Node.js/Bun event loop. Resafe helps you:
- Educate: Developers learn why a regex is bad through the "Solution" hints.
- Automate: Run checks during CI/CD to catch ReDoS early.
- Secure: Stop malicious or accidental "Catastrophic Backtracking" patterns.