Use eslint-plugin-redos #1364
Use eslint-plugin-redos #1364
Conversation
It is alternative to `eslint-plugin-redos-detector` and `eslint-plugin-regexp`'s some rules. This plugin provides more accurate detection with fewer false positives than other plugins. In fact, we don't need to add the `eslint-disable-next-line` comment for this plugin.
| @makenowjust is attempting to deploy a commit to the Valibot Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
Pull request overview
This PR adds eslint-plugin-redos as a new linting plugin to improve ReDoS (Regular Expression Denial of Service) detection. The plugin uses recheck as its backend detector, which provides more accurate detection with fewer false positives compared to existing plugins like eslint-plugin-redos-detector and eslint-plugin-regexp. The PR notes that this plugin successfully discovered the EMOJI_REGEX vulnerability (GHSA-vqpr-j7v3-hqw9).
Key Changes:
- Added
eslint-plugin-redos@4.6.0-beta.3as a development dependency - Configured the plugin in ESLint configuration with recommended flat config
- Added
recheckand platform-specific dependencies to the lock file
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| library/package.json | Adds eslint-plugin-redos beta version as a devDependency |
| library/eslint.config.js | Imports and enables the redos plugin with recommended configuration |
| pnpm-lock.yaml | Updates lock file with new plugin and its dependencies including platform-specific recheck binaries |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "eslint": "^9.39.1", | ||
| "eslint-plugin-import": "^2.32.0", | ||
| "eslint-plugin-jsdoc": "^61.4.0", | ||
| "eslint-plugin-redos": "^4.6.0-beta.3", |
There was a problem hiding this comment.
The eslint-plugin-redos package has a Node.js engine requirement of >=20 (as seen in the pnpm-lock.yaml). Consider adding an engines field to package.json to enforce this requirement and prevent issues for developers using older Node versions:
"engines": { "node": ">=20" }This will ensure compatibility with the new plugin's requirements.
| "eslint": "^9.39.1", | ||
| "eslint-plugin-import": "^2.32.0", | ||
| "eslint-plugin-jsdoc": "^61.4.0", | ||
| "eslint-plugin-redos": "^4.6.0-beta.3", |
There was a problem hiding this comment.
[nitpick] This package is a beta version (4.6.0-beta.3). While the PR description mentions it successfully discovered a vulnerability (EMOJI_REGEX), beta versions may have stability issues or breaking changes. Consider:
- Monitoring for a stable release and upgrading once available
- Documenting this beta dependency and any known issues
- Adding a TODO/comment to track the beta status
If this is intentional for early access to improved ReDoS detection, consider adding a comment in the code explaining why the beta version is acceptable.
There was a problem hiding this comment.
Only 4.6.0-beta supports ESLint flat config, so this version is required.
1 participant
Summary
eslint-plugin-redosis an alternative toeslint-plugin-redos-detectorandeslint-plugin-regexp's some rules.This plugin utilizes
recheckas its backend ReDoS detector, enabling more accurate detection with fewer false positives compared to other plugins.In fact, we don't need to add the
eslint-disable-next-linecomment for this plugin.Note that the
EMOJI_REGEXvulnerability was discovered thanks to this plugin.Thank you.