Fix possible regex dos vulnerability.

[patsplat]

Fix possible regex dos vulnerability.

Reported via: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7753
Adapted solution from: http://blog.stevenlevithan.com/archives/faster-trim-javascript

[joshbressers]

Your patch works as expected, here is me running the reproducer against the old and new packages

node test.js
Old time (milliseconds): 2175
New time (milliseconds):2

[Trott]

Hi, @patsplat. Thanks for this. I don't have write access to this repo (maybe @tj / @jonathanong / @ForbesLindesay / @yields might see fit to change that?) but @tj was kind of enough to give me access to the package on npm, so I've publish 0.0.2 with this change (and then quickly published 0.0.3 because I failed to update components.json for 0.0.2). Take a look (since the code/package is very small and easily auditable) and then, if it looks good to you, maybe close this issue?

[Trott]

Hi, @patsplat. Thanks for this. I don't have write access to this repo (maybe @tj / @jonathanong / @ForbesLindesay / @yields might see fit to change that?) but @tj was kind of enough to give me access to the package on npm, so I've publish 0.0.2 with this change (and then quickly published 0.0.3 because I failed to update components.json for 0.0.2). Take a look (since the code/package is very small and easily auditable) and then, if it looks good to you, maybe close this issue?

Oh, and if you want to audit the changes via GitHub, it's in my fork at https://github.com/Trott/trim.

[joshbressers]

This is awesome, thanks for the quick help all!

[joshbressers]

To clarify my previous post. I tested the new trim, it works as expected.

node test.js
Old time (milliseconds): 5
New time (milliseconds):1

[patsplat]

@joshbressers thanks for validating the fix.

@tj Thanks for providing @Trott with npm access.

@Trott Thanks for patching. Looks great!