ESLint Plugin No Unsafe Regex

1.0.0 verified Sat Apr 25 auth: no javascript

ESLint plugin that disallows potentially unsafe regular expressions. Version 1.0.0, stable. Uses the `safe-regex` library to detect regex patterns vulnerable to ReDoS attacks, such as nested quantifiers. Integrates as an ESLint plugin with a single rule `no-unsafe-regex/no-unsafe-regex`. Differentiates from other regex linting by focusing solely on security/performance, not style. Only validates regex literals and RegExp constructor with literal arguments. Regular maintenance, no known issues.

Common errors

error Error: Cannot find module 'safe-regex' ↓

cause Missing dependency safe-regex.

fix

Run 'npm install safe-regex' or check node_modules.

error Configuration for rule "no-unsafe-regex" is invalid: Definition for rule 'no-unsafe-regex' was not found. ↓

cause Rule used without plugin prefix or plugin not registered.

fix

Use 'no-unsafe-regex/no-unsafe-regex' and add 'no-unsafe-regex' to plugins.

error ESLint couldn't find the plugin "eslint-plugin-no-unsafe-regex". ↓

cause Plugin not installed or wrong name in plugins array.

fix

Install via npm and use short name 'no-unsafe-regex' in plugins.

Warnings

gotcha The plugin only validates regex literals (e.g., /pattern/) and RegExp constructor with literal string arguments. It does not validate regex created from variables or dynamic strings. ↓

fix Ensure that unsafe patterns are not built dynamically or manually review dynamic regex.

gotcha The rule may produce false positives for complex but safe regex patterns, as the underlying safe-regex library uses a heuristic. ↓

fix If a false positive is encountered, consider disabling the rule for that specific line using an ESLint comment.

deprecated This plugin has not been updated since 2015 and may not be compatible with newer ESLint versions. ↓

fix Consider using eslint-plugin-security instead which also covers unsafe regex.

Install

npm install eslint-plugin-no-unsafe-regex

yarn add eslint-plugin-no-unsafe-regex

pnpm add eslint-plugin-no-unsafe-regex

Imports

plugin
```
const plugin = require('eslint-plugin-no-unsafe-regex');
```
CommonJS require; package has no default export for ESM.

no-unsafe-regex rule

wrong

rules: { 'no-unsafe-regex': 'error' }

correct

// in .eslintrc: { rules: { 'no-unsafe-regex/no-unsafe-regex': 'error' } }

Rule must be prefixed with the plugin name when using ESLint plugins.

Plugin reference
wrong
```
plugins: ['eslint-plugin-no-unsafe-regex']
```
correct
```
// in .eslintrc: { plugins: ['no-unsafe-regex'] }
```
ESLint automatically resolves the 'eslint-plugin-' prefix; just use the short name.

Quickstart

Configures ESLint to use the no-unsafe-regex plugin and enable its rule as an error.

module.exports = {
  plugins: ['no-unsafe-regex'],
  rules: {
    'no-unsafe-regex/no-unsafe-regex': 'error'
  }
};