ESLint version

v9.29.0

What problem do you want to solve?

ESLint is widely used in many different context, input (files) are extremely varied and in some contexts only semi-trusted (e.g. SaaS vendors in the software quality space running it). One challenge with handling this variety is writing robust regular expression - especially ones that avoid superlinear runtimes.

What do you think is the correct solution?

Use eslint-plugin-regexp to lint regular expressions in official ESLint projects to avoid problematic regular expressions. My primary recommendation is to follow this guide to help avoid regular expressions with superlinear runtimes. However, other rules, especially possible errors, may be of interest too.

While these rules can't catch all regular expressions with superlinear runtimes, it's pretty good at not flagging false positives (with the exception of cases where the input is somehow "sanitized" before it reaches the regular expression).

Participation

• I am willing to submit a pull request for this change.

Additional comments

This has been discussed before in GHSA-xffm-g5w8-qvg7

You may also want to take a look at eslint/rewrite#240 and eslint/markdown#463