safe-regex MIT 9 versions

safe-regex

npm Repository Homepage

detect possibly catastrophic, exponential-time regular expressions

Versions

MIT

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

davisjam

Keywords

catastrophicexponentialregexsafesandbox

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): Version 0.0.0 is a legitimate initial release by substack, a highly trusted npm publisher. Package has been in registry 12+ years with proper metadata and repo.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established 12-year-old package published before Sigstore provenance was available on npm; absence is expected and not a risk signal.	ai	2026/04/21
dependencies	unvetted-dep:regexp-tree	AI (dependencies): regexp-tree is a legitimate, well-known regex analysis library; its use is appropriate and expected for a ReDoS detection utility like safe-regex.	ai	2026/04/21

Versions (showing 9 of 9)

Version	Deps	Published
2.1.1	1 / 1	2019-10-21
2.1.0	1 / 1	2019-10-21
2.0.2	1 / 1	2019-02-25
2.0.1	1 / 1	2018-11-02
2.0.0	1 / 1	2018-10-26
1.1.0	1 / 1	2015-03-19
1.0.0	1 / 1	2015-02-06
0.0.1	1 / 1	2013-11-22
0.0.0	1 / 1	2013-07-13