url-regex @5.0.0
Regular expression for matching URLs
Maintainers
Keywords
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| tlds | ^1.203.0 | auto_approved |
| ip-regex | ^4.1.0 | auto_approved |
Dev Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| xo | ^0.24.0 | No greenflagged match |
| ava | ^1.4.1 | auto_approved |
| tsd | ^0.7.2 | auto_approved |
Transitive Dependency Tree
Changes from v3.2.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | tlds | ^1.203.0 |
| changed | ip-regex | ^1.0.1 → ^4.1.0 |
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-v4rh-8p82-6h5w |
osv | reject | AI | AI (osv): HIGH severity ReDoS (CVSS 7.5) affects all versions of url-regex including 5.0.0; no fix exists. Verdict generalizes to all versions. |
SAST Findings (3)
This version was published by a different npm account than previous versions on 2019-04-21. This could indicate a legitimate maintainer transition or an account compromise.
CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H all versions of url-regex are vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 63. Findings: 2 high (+50), 1 medium (+10), 1 low (+3).
Commit: 9f0450b59906 Browse source
Published to npm: