From d8ba39a528c1027c43ab23f12eec28ca4d40dd0c Mon Sep 17 00:00:00 2001
From: Sindre Sorhus <sindresorhus@gmail.com>
Date: Thu, 12 May 2022 17:31:11 +0700
Subject: [PATCH] Fix ReDoS vulnerability

---
 index.js     | 2 +-
 package.json | 2 +-
 test.js      | 8 ++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index 3421c1e..a017a72 100644
--- a/index.js
+++ b/index.js
@@ -1,3 +1,3 @@
 export default function semverRegex() {
-	return /(?:(?<=^v?|\sv?)(?:(?:0|[1-9]\d{0,9})\.){2}(?:0|[1-9]\d{0,9})(?:-(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?){0,100}(?:\.(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?))*?){0,100}(?:\+[\da-z-]+?(?:\.[\da-z-]+?)*?){0,100}\b){1,200}/gi;
+	return /(?:(?<=^v?|\sv?)(?:(?:0|[1-9]\d{0,9}?)\.){2}(?:0|[1-9]\d{0,9}?)(?:-(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?){0,100}?(?:\.(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?))*?){0,100}?(?:\+[\da-z-]+?(?:\.[\da-z-]+?)*?){0,100}?\b){1,200}?/gi;
 }
diff --git a/package.json b/package.json
index 74769f4..1fb38bf 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
 		"semantic"
 	],
 	"devDependencies": {
-		"ava": "^3.15.0",
+		"ava": "^4.2.0",
 		"tsd": "^0.14.0",
 		"xo": "^0.39.1"
 	}
diff --git a/test.js b/test.js
index af2e385..0984a27 100644
--- a/test.js
+++ b/test.js
@@ -119,4 +119,12 @@ test('invalid version does not cause catatrophic backtracking', t => {
 		const difference = Date.now() - start;
 		t.true(difference < 10, `Execution time: ${difference}`);
 	}
+
+	for (let index = 1; index <= 20; index++) {
+		const start = Date.now();
+		const fixture = `0.0.1-${'-.--'.repeat(index)} `;
+		semverRegex().test(fixture);
+		const difference = Date.now() - start;
+		t.true(difference < 10, `Execution time: ${difference}`);
+	}
 });