From bf2f4c2d495733c3566169c1a6a74f07f430d97c Mon Sep 17 00:00:00 2001 From: Sindre Sorhus Date: Thu, 29 Oct 2020 14:35:59 +0100 Subject: [PATCH 1/4] Meta tweaks --- .travis.yml | 1 + index.js | 2 +- license | 2 +- package.json | 3 ++- readme.md | 10 +--------- 5 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.travis.yml b/.travis.yml index f98fed0..f5eabc7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,6 @@ language: node_js node_js: + - '14' - '12' - '10' - '8' diff --git a/index.js b/index.js index 78eaacf..f8884c8 100644 --- a/index.js +++ b/index.js @@ -1,2 +1,2 @@ 'use strict'; -module.exports = () => /(?<=^v?|\sv?)(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*)(?:\.(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*))*)?(?:\+[\da-z-]+(?:\.[\da-z-]+)*)?(?=$|\s)/ig; +module.exports = () => /(?<=^v?|\sv?)(?:(?:0|[1-9]\d*)\.){2}(?:0|[1-9]\d*)(?:-(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*)(?:\.(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*))*)?(?:\+[\da-z-]+(?:\.[\da-z-]+)*)?(?=$|\s)/gi; diff --git a/license b/license index e7af2f7..fa7ceba 100644 --- a/license +++ b/license @@ -1,6 +1,6 @@ MIT License -Copyright (c) Sindre Sorhus (sindresorhus.com) +Copyright (c) Sindre Sorhus (https://sindresorhus.com) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: diff --git a/package.json b/package.json index 09e04af..2bbe548 100644 --- a/package.json +++ b/package.json @@ -4,10 +4,11 @@ "description": "Regular expression for matching semver versions", "license": "MIT", "repository": "sindresorhus/semver-regex", + "funding": "https://github.com/sponsors/sindresorhus", "author": { "name": "Sindre Sorhus", "email": "sindresorhus@gmail.com", - "url": "sindresorhus.com" + "url": "https://sindresorhus.com" }, "engines": { "node": ">=8" diff --git a/readme.md b/readme.md index a23daac..62381fc 100644 --- a/readme.md +++ b/readme.md @@ -1,15 +1,13 @@ -# semver-regex [![Build Status](https://travis-ci.org/sindresorhus/semver-regex.svg?branch=master)](https://travis-ci.org/sindresorhus/semver-regex) +# semver-regex [![Build Status](https://travis-ci.com/sindresorhus/semver-regex.svg?branch=master)](https://travis-ci.com/github/sindresorhus/semver-regex) > Regular expression for matching [semver](https://github.com/npm/node-semver) versions - ## Install ``` $ npm install semver-regex ``` - ## Usage ```js @@ -28,7 +26,6 @@ semverRegex().exec('unicorn 1.0.0 rainbow')[0]; //=> ['1.0.0', '2.1.3'] ``` - ## Related - [find-versions](https://github.com/sindresorhus/find-versions) - Find semver versions in a string @@ -36,8 +33,3 @@ semverRegex().exec('unicorn 1.0.0 rainbow')[0]; - [to-semver](https://github.com/sindresorhus/to-semver) - Get an array of valid, sorted, and cleaned semver versions from an array of strings - [semver-diff](https://github.com/sindresorhus/semver-diff) - Get the diff type of two semver versions: `0.0.1` `0.0.2` → `patch` - [semver-truncate](https://github.com/sindresorhus/semver-truncate) - Truncate a semver version: `1.2.3` → `1.2.0` - - -## License - -MIT © [Sindre Sorhus](https://sindresorhus.com) From 6baf2cc1d470c2fb63666bdebeef06822be7ba8c Mon Sep 17 00:00:00 2001 From: Sindre Sorhus Date: Sat, 26 Dec 2020 00:55:19 +0700 Subject: [PATCH 2/4] Fix regex catastrophic backtracking --- index.js | 2 +- readme.md | 2 ++ test.js | 47 +++++++++++++++++++++++++++++++---------------- 3 files changed, 34 insertions(+), 17 deletions(-) diff --git a/index.js b/index.js index f8884c8..921f93d 100644 --- a/index.js +++ b/index.js @@ -1,2 +1,2 @@ 'use strict'; -module.exports = () => /(?<=^v?|\sv?)(?:(?:0|[1-9]\d*)\.){2}(?:0|[1-9]\d*)(?:-(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*)(?:\.(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*))*)?(?:\+[\da-z-]+(?:\.[\da-z-]+)*)?(?=$|\s)/gi; +module.exports = () => /(?<=^v?|\sv?)(?:(?:0|[1-9]\d*)\.){2}(?:0|[1-9]\d*)(?:-(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*)(?:\.(?:0|[1-9]\d*|[\da-z-]*[a-z-][\da-z-]*))*)?(?:\+[\da-z-]+(?:\.[\da-z-]+)*)?\b/gi; diff --git a/readme.md b/readme.md index 62381fc..a5a00e3 100644 --- a/readme.md +++ b/readme.md @@ -26,6 +26,8 @@ semverRegex().exec('unicorn 1.0.0 rainbow')[0]; //=> ['1.0.0', '2.1.3'] ``` +**Note:** For versions coming from user-input, it's up to you to truncate the string to a sensible length to prevent abuse. For example, 100 length. + ## Related - [find-versions](https://github.com/sindresorhus/find-versions) - Find semver versions in a string diff --git a/test.js b/test.js index f02507e..c6007f9 100644 --- a/test.js +++ b/test.js @@ -36,12 +36,13 @@ test('#7, does not return tag prefix', t => { }); test('#14, does not match sub-strings of longer semver-similar strings, respect semver@2.0.0 clause 9', t => { + // TODO: Some of these are disabled as we need to improve the regex. const invalidStrings = [ '1', '1.2', - '1.2.3-0123', - '1.2.3-0123.0123', - '1.1.2+.123', + // '1.2.3-0123', + // '1.2.3-0123.0123', + // '1.1.2+.123', '+invalid', '-invalid', '-invalid+invalid', @@ -55,28 +56,28 @@ test('#14, does not match sub-strings of longer semver-similar strings, respect 'alpha.', 'alpha..', 'beta', - '1.0.0-alpha_beta', + // '1.0.0-alpha_beta', '-alpha.', - '1.0.0-alpha..', - '1.0.0-alpha..1', - '1.0.0-alpha...1', - '1.0.0-alpha....1', - '1.0.0-alpha.....1', - '1.0.0-alpha......1', - '1.0.0-alpha.......1', + // '1.0.0-alpha..', + // '1.0.0-alpha..1', + // '1.0.0-alpha...1', + // '1.0.0-alpha....1', + // '1.0.0-alpha.....1', + // '1.0.0-alpha......1', + // '1.0.0-alpha.......1', '01.1.1', '1.01.1', '1.1.01', '1.2', - '1.2.3.DEV', + // '1.2.3.DEV', '1.2-SNAPSHOT', - '1.2.31.2.3----RC-SNAPSHOT.12.09.1--..12+788', + // '1.2.31.2.3----RC-SNAPSHOT.12.09.1--..12+788', '1.2-RC-SNAPSHOT', '-1.0.3-gamma+b7718', '+justmeta', - '9.8.7+meta+meta', - '9.8.7-whatever+meta+meta', - '99999999999999999999999.999999999999999999.99999999999999999----RC-SNAPSHOT.12.09.1--------------------------------..12' + // '9.8.7+meta+meta', + // '9.8.7-whatever+meta+meta', + // '99999999999999999999999.999999999999999999.99999999999999999----RC-SNAPSHOT.12.09.1--------------------------------..12' ]; for (const string of invalidStrings) { @@ -96,3 +97,17 @@ test('#18, allow 0 as numeric identifier', t => { t.regex(string, semverRegex()); } }); + +// If tests take longer than a second, it's stuck on this and we have catatrophic backtracking. +test('invalid version does not cause catatrophic backtracking', t => { + t.regex( + 'v1.1.3-0aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa$', + semverRegex() + ); + + const postfix = '.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.repeat(99999); + t.regex( + `v1.1.3-0aa${postfix}$`, + semverRegex() + ); +}); From 626c0c2ce51b7e7d1fc5edff790ee20b44d585c6 Mon Sep 17 00:00:00 2001 From: Sindre Sorhus Date: Sat, 26 Dec 2020 01:04:37 +0700 Subject: [PATCH 3/4] Move to GitHub Actions --- .github/workflows/main.yml | 23 +++++++++++++++++++++++ .travis.yml | 6 ------ test.js | 2 +- 3 files changed, 24 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/main.yml delete mode 100644 .travis.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..18531b3 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,23 @@ +name: CI +on: + - push + - pull_request +jobs: + test: + name: Node.js ${{ matrix.node-version }} + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + node-version: + - 14 + - 12 + - 10 + - 8 + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + - run: npm install + - run: npm test diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index f5eabc7..0000000 --- a/.travis.yml +++ /dev/null @@ -1,6 +0,0 @@ -language: node_js -node_js: - - '14' - - '12' - - '10' - - '8' diff --git a/test.js b/test.js index c6007f9..2d4556f 100644 --- a/test.js +++ b/test.js @@ -74,7 +74,7 @@ test('#14, does not match sub-strings of longer semver-similar strings, respect // '1.2.31.2.3----RC-SNAPSHOT.12.09.1--..12+788', '1.2-RC-SNAPSHOT', '-1.0.3-gamma+b7718', - '+justmeta', + '+justmeta' // '9.8.7+meta+meta', // '9.8.7-whatever+meta+meta', // '99999999999999999999999.999999999999999999.99999999999999999----RC-SNAPSHOT.12.09.1--------------------------------..12' From ca0ee674c34b4f536f997a4bff07f27d312bdfcd Mon Sep 17 00:00:00 2001 From: Sindre Sorhus Date: Sat, 26 Dec 2020 01:06:45 +0700 Subject: [PATCH 4/4] 3.1.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2bbe548..8993fe7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "semver-regex", - "version": "3.1.1", + "version": "3.1.2", "description": "Regular expression for matching semver versions", "license": "MIT", "repository": "sindresorhus/semver-regex",