Lightweight package to detect unsafe regex patterns and prevent ReDoS.
Resafe is a mathematical ReDoS detection engine that uses Thompson NFA construction, epsilon transition elimination, and spectral radius analysis to detect exponential backtracking vulnerabilities. By analyzing the automaton's adjacency matrix eigenvalues, Resafe determines if a regex has exponential growth patterns without executing test strings.
import { check } from "resafe";
check("(a+)+$");
/*
x [Resafe] Unsafe pattern: /(a+)+$/
! Spectral radius: 4.0 (threshold: 1.0)
Simplify regex structure to eliminate exponential paths
*/- Pure Mathematical Analysis: Thompson NFA construction with spectral radius computation
- Deterministic Detection: Analyzes automaton structure, not pattern matching heuristics
- Spectral Radius: Detects exponential growth when eigenvalue > 1.0
- Fast Analysis: Average analysis time <1ms per pattern
# Using Bun (Recommended)
bun add resafe
# Using NPM
npm install resafe
# Using Yarn
yarn add resafeBy default, Resafe logs warnings and errors to the console if a pattern is unsafe.
import { check } from "resafe";
check(/([a-zA-Z0-9]+)*$/);Prevent unsafe regex from being used by throwing an error.
import { check } from "resafe";
const safeRegex = check("^[0-9]+$", {
throwErr: true,
silent: true
});Configure detection threshold.
import { check } from "resafe";
check("a+a+", {
threshold: 1.5
});Regular expressions are powerful but can be a security bottleneck. A single poorly crafted regex can freeze a Node.js/Bun event loop. Resafe helps you:
- Educate: Developers learn why a regex is bad through the "Solution" hints.
- Automate: Run checks during CI/CD to catch ReDoS early.
- Secure: Stop malicious or accidental "Catastrophic Backtracking" patterns.