The no-unsafe-regex rule is annoying

[sindresorhus]

It matches way too many regexes to be useful. And it's unclear what's wrong with the regexes and how to fix it.

It matches simple regex like:

https://github.com/xojs/stylelint-config-xo/blob/9c49d0bbf96a433ec6b2eef83875acadd26ba78f/index.js#L4

eslint-plugin-unicorn/rules/throw-new-error.js

Line 4 in d04af50

const customError = /^(?:[A-Z][a-z\d]*)*Error$/;

eslint-plugin-unicorn/rules/no-abusive-eslint-disable.js

Line 4 in d04af50

const disableRegex = /^eslint-disable(-next-line|-line)?($|(\s+(@[\w-]+\/[\w-]+\/)?[\w-]+)?)/;

And many many more.

---

IssueHunt Summary

fisker has been rewarded.

Backers (Total: $60.00)

• issuehunt ($60.00)

Submitted pull Requests

• #2135 Deprecate no-unsafe-regex rule

---

Tips

• Checkout the Issuehunt explorer to discover more funded issues.
• Need some help from other developers? Add your repositories on IssueHunt to raise funds.

[sindresorhus]

// @bdougherty

[sindresorhus]

The safe-regex module also seems unmaintained, so not a great start.

For this plugin to be useful it needs to pinpoint exactly where in the regex the problem lies, and suggest how it could be fixed, ideally with --fix support.

It could maybe use regexp-tree.

[bdougherty]

Based on what I was reading about the regexes that it's looking for (primarily http://www.regular-expressions.info/catastrophic.html), I'm not sure that there is an automated way to fix them.

But I agree that it should give some indication of what the issue is, I'm just not sure how to do that exactly. I'll mess around with it and see if I can come up with anything.

[IssueHuntBot]

@IssueHunt has funded $60.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[Jessidhia]

Even a trivial regular expression like /\./, which should have a star height of 0, is enough to trip the rule. It's possible it's just an incompatibility with the u flag, though.

Arguably this regexp does not need u, but there is a good reason for using u on all regexps: it disables Annex B features.

[devinrhode2]

safe-regex readme now says

WARNING: This module has both false positives and false negatives. Use vuln-regex-detector for improved accuracy.

Discussion on using this here:
eslint-community/eslint-plugin-security#28

I wonder if it's possible for one eslint plugin to pull in just one rule from another plugin

[mircowidmer]

Interestingly,

(( )?[0-9]){2}$ also raises the warning, (( )?[0-9])(( )?[0-9])$ does not. It seems to have to do with the repetition.

[issuehunt-oss]

@sindresorhus has rewarded $54.00 to @fisker. See it on IssueHunt

• 💰 Total deposit: $60.00
• 🎉 Repository reward(0%): $0.00
• 🔧 Service fee(10%): $6.00