Show HN: Regolith – Regex library that prevents ReDoS CVEs in TypeScript

Summary

Regolith A server-side TypeScript and JavaScript library immune to Regular Expression Denial of Service (ReDoS) attacks by using Rust and linear Regex under the hood. Regolith has a linear worst case time complexity, compared to the default RegExp found in TypeScript and JavaScript, which has an exponential worst case. Motivation: I wanted a Regex library for TypeScript and JavaScript where I didn't have to worry about ReDoS attacks. Important Regolith is still early in development! We need help building and getting developer adoption! Drop-in Replacement Regolith attempts to be a drop-in replacement for RegExp and requires minimal (to no) changes to be used instead. The goal of Regolith is to allow developers to easily build software that is immune to ReDoS attacks. Preventing ReDoS Attacks What are ReDoS attacks? Regular Expression Denial of Service (ReDoS) attacks occur when vulnerable Regex patterns are executed with specifically constructed inputs that result in an inefficient execution. This can be exploited to cause services to become unavailable because the services are stuck trying to compute the inefficient Regex. Read more: owasp.org & learn.snyk.io Exponential Worst Case Python has an exponential increase in execution time for the worst case. This is the same case for TypeScript and JavaScript. Both having RegExp , which has an exponential worst case. Linear vs Exponential Regex Libraries This table shows popular languages and if their Regex library has a linear worst case or an exponential worst case. It also includes experimental results for how long execution took for a vulnerable Regex pattern that can be attacked with ReDoS and an input of size 30. Note that TypeScript and JavaScript do not have a linear worst case for Regex, making them vulnerable to these types of attacks. More information and images: Jake Roggenbuck - Preventing ReDoS Attacks - 2025 Impact Note ReDoS attacks happen relatively frequently to popular libraries costing millions of ho...