npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ericcornelissen/lregexp

v1.0.13

Published

Transparent linear-time (non-backtracking) regular expressions for libraries

Readme

lRegExp

Transparent linear-time (non-backtracking) regular expressions for libraries.

Usage

This package exports a drop-in replacement for the built-in RegExp (caveats apply).

  1. Install

    npm install @ericcornelissen/lregexp
  2. Import

    import RegExp from "@ericcornelissen/lregexp";
  3. Use

    new RegExp("[linear]{6}");

Runtimes

This package is compatible with Node.js, Deno, Bun, and major browsers. It only takes effect in V8-based runtimes (Node.js, Deno, Chromium-based browsers) when the experimental linear-time engine is enabled. Otherwise it falls back to the default RegExp constructor.

To enable the linear-time regular expression engine:

  • Node.js: use node --enable-experimental-regexp-engine entrypoint.js
  • Deno: use DENO_V8_FLAGS="--enable-experimental-regexp-engine" deno entrypoint.ts

Background

Why

Backtracking regular expressions can take exponential time to evaluate, leading to the dreaded ReDoS vulnerability. Linear-time regular expressions avoid this by not backtracking.

In V8-based runtimes, linear-time regular expressions can be created using the l flag provided the --enable-experimental-regexp-engine CLI option is used. This makes it difficult for library authors to tap into. Using this package, a library can use the RegExp constructor as usual and benefit from the linear time regular expression engine when its users enable it. If they don't, it gracefully falls back to the default constructor.

Caveats

Not all valid JavaScript regular expressions are supported when using the --enable-experimental-regexp-engine CLI option. This package won't tell you if your regular expressions are incompatible, unless you run it with that CLI option. If a regular expression is incompatible, the constructor will throw a SyntaxError.

To support users of this package in writing compatible regular expressions we're interested in:

  • an ESLint plugin to lint regular expressions and raise warnings for the use of regex features not supported by the non-backtracking engine; (#4)
  • a tool (CLI/web) to check a given regular expression for compatibility with the non-backtracking engine. (#21)

Example

A classic example of a ReDoS-vulnerable regular expression is (a*)*b. Using this with vanilla Node.js on a pathological input string takes quite some time, test it for yourself with (add an a and the runtime doubles):

node -e '/(a*)*b/.test("aaaaaaaaaaaaaaaaaaaaaaaaac")'

When the non-backtracking regular expression engine is enabled, the expression evaluates instantly:

node -e '/(a*)*b/l.test("aaaaaaaaaaaaaaaaaaaaaaaaac")' --enable-experimental-regexp-engine

Rewriting

The following are some suggestions for rewriting regular expressions from JavaScript's standard engine to the linear-time engine. These suggestions are not universally applicable and careful testing is still required.

  • Positive lookahead ((?=...)) when replacing

    Capture the lookahead and restore it (using $<n>) when replacing. For example: replace(/(a(?=b)/, "A") to replace(/a(b)/, "A$1").

  • Negative lookahead ((?!...)) when replacing

    Capture the lookahead, invert the match, add an end-of-string anchor ($), and restore it (using $<n>) when replacing. For example: replace(/(a(?!b)/, "A") to replace(/a([^b]|$)/, "A$1").

  • i flag when testing

    Write the regular expression to match lowercase strings and convert strings to lowercase (using .toLowerCase()) before matching them.

Testing

We recommend using differential testing using fast-check when rewriting regular expressions. You can use the following test example as a template:

// Run as: node --test --enable-experimental-regexp-engine rewrite_test.js

import { test } from "node:test";

import lRegExp from "@ericcornelissen/lregexp";
import * as fc from "fast-check";

test("rewritten regular expression", () => {
  const original = /old regular expression/;
  const rewritten = new lRegExp(/new regular expression/);

  fc.assert(
    fc.property(
      fc.oneof(
        // any old string, unlikely to match
        fc.string(), 

        // strings that should match (limited support)
        fc.stringMatching(original), 
      ),
      (s) => original.test(s) === rewritten.test(s)
    ),
  );
});

test("--enable-experimental-regexp-engine", () => {
  /ensures that the linear engine is enabled/l;
});

License

The source code is licensed under the MIT license, see LICENSE for the full license text. The documentation text is licensed under CC0-1.0; code snippets under the MIT-0 license.