
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@stll/regex-set
Advanced tools
Single-pass multi-pattern regex for Node.js/Bun. Backtracking-immune, Unicode-aware Rust engine via NAPI-RS.
NAPI-RS bindings to Rust's regex-automata crate for Node.js and Bun.
Multi-pattern regex matching in a single pass. Backtracking-free on the main DFA path, with a targeted fallback for some lookaround cases. Built on the same regex engine that powers ripgrep.
npm install @stll/regex-set
# or
bun add @stll/regex-set
The companion @stll/regex-set-wasm package is
available for browser builds.
You do not need Vite to use @stll/regex-set in
Node.js or Bun. Vite is only relevant for the
browser/WASM companion package.
GitHub releases include npm tarballs, an SBOM, and third-party notices.
Prebuilts are available for:
| Platform | Architecture |
|---|---|
| macOS | x64, arm64 |
| Linux (glibc) | x64, arm64 |
| WASM | browser |
import { RegexSet } from "@stll/regex-set";
const rs = new RegexSet([
"\\d{2}\\.\\d{2}\\.\\d{4}", // dates
"\\+?\\d{9,12}", // phones
"[A-Z]{2}\\d{6}", // IDs
"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+", // emails
]);
rs.findIter("Born 15.03.1990, ID CZ123456");
// [
// { pattern: 0, start: 5, end: 15,
// text: "15.03.1990" },
// { pattern: 2, start: 20, end: 28,
// text: "CZ123456" },
// ]
// Quick check
rs.isMatch("call +420123456789"); // true
// Which patterns matched (not where)
rs.whichMatch("call +420123456789"); // [1]
// Replace all matches
rs.replaceAll("Born 15.03.1990, phone +420123456789", [
"[DATE]",
"[PHONE]",
"[ID]",
"[EMAIL]",
]);
// "Born [DATE], phone [PHONE]"
const rs = new RegexSet([
{ pattern: /\d{2}\.\d{2}\.\d{4}/, name: "date" },
{ pattern: /\+?\d{9,12}/, name: "phone" },
"[A-Z]{2}\\d{6}", // unnamed
]);
rs.findIter("Born 15.03.1990, ID CZ123456");
// [
// { pattern: 0, ..., name: "date" },
// { pattern: 2, ..., text: "CZ123456" },
// ← no `name` property on unnamed patterns
// ]
const rs = new RegexSet(patterns, {
// Only match whole words (default: false)
wholeWords: true,
// Unicode word boundaries (default: true)
// Treats accented letters, CJK, etc. as word
// characters. Auto UAX#29 for Thai/CJK.
// Set to false for JS RegExp ASCII parity.
unicodeBoundaries: true,
});
By default, \b uses Unicode semantics — correct
for all scripts. Set unicodeBoundaries: false for
JS RegExp ASCII parity:
// Default (Unicode \b): "čáp" is one word (CORRECT)
new RegexSet(["\\bp\\b"]).findIter("čáp");
// → [] (no match — p is inside a word)
// ASCII \b: "p" matches as standalone (WRONG)
new RegexSet(["\\bp\\b"], {
unicodeBoundaries: false,
}).findIter("čáp");
// → [{ text: "p" }]
// Unicode \b: "čáp" is one word (CORRECT)
new RegexSet(["\\bp\\b"], {
unicodeBoundaries: true,
}).findIter("čáp");
// → [] (no match — p is inside a word)
new RegexSet(["\\bčáp\\b"], {
unicodeBoundaries: true,
}).findIter("malý čáp letí");
// → [{ text: "čáp" }]
Implementation: edge \b is stripped from patterns
and verified inline per match (two char lookups).
The DFA never sees \b, so boundary verification
stays O(1) per match in either mode.
Lookahead and lookbehind are supported:
const rs = new RegexSet([
"(?<!\\p{L})IČO:\\s*[0-9]{8}", // lookbehind
"[0-9]{6}/[0-9]{3,4}(?![0-9])", // lookahead
]);
Internally, lookaround is stripped from patterns, the cores are compiled into a single fast DFA, and assertions are verified as inline char checks on each match. No backtracking engine is involved for simple assertions.
When a greedy quantifier (e.g., \s*) causes the DFA
to overshoot past a valid match boundary and the
lookahead rejects the longer match, the engine falls
back to fancy-regex for that specific match to
backtrack the quantifier and find the shorter valid
match. This fallback is slower on affected matches
but preserves correctness; patterns without
lookaround are unaffected.
The repository includes only public, reproducible
benchmark inputs and scripts in __bench__/.
Inputs:
Run them locally:
bun install
bun run build
bun run bench:download
bun run bench
bun run bench:fallback
Representative baseline from the checked-in public harness:
1.3.1026.4.1 (Darwin arm64)| Scenario | @stll/regex-set | JS RegExp | Relative |
|---|---|---|---|
| mariomka, 3 patterns, 6.2 MB | 19.08 ms | 102.67 ms | 5.4x faster |
Twain literal Twain, 16.0 MB | 9.47 ms | 1.21 ms | 0.13x |
Twain char class [a-z]shing, 16.0 MB | 10.38 ms | 8.01 ms | 0.77x |
Twain word boundary \\b\\w+nn\\b, 16.0 MB | 13.00 ms | 55.59 ms | 4.3x faster |
Twain alternation Tom|Sawyer|..., 16.0 MB | 9.20 ms | 20.77 ms | 2.3x faster |
Twain suffix [a-zA-Z]+ing, 16.0 MB | 15.79 ms | 91.93 ms | 5.8x faster |
| Bible, 5 patterns, 4.0 MB | 12.20 ms | 57.52 ms | 4.7x faster |
| Bible, 3 lookaround patterns, 4.0 MB | 25.93 ms | 77.33 ms | 3.0x faster |
Fallback-path microbenchmark in the same environment:
| Scenario | Time |
|---|---|
| baseline DFA, no lookaround | 0.168 ms |
| verifier present, no fallback | 0.134 ms |
verifier + fancy-regex fallback | 0.829 ms |
The benchmark harness covers:
fancy-regex fallback path| Method | Returns | Description |
|---|---|---|
new RegexSet(patterns, options?) | instance | Compile patterns |
.findIter(haystack) | Match[] | All non-overlapping matches |
.isMatch(haystack) | boolean | Any pattern matches? |
.whichMatch(haystack) | number[] | Which pattern indices matched |
.replaceAll(haystack, replacements) | string | Replace matches |
.patternCount | number | Number of patterns |
type PatternEntry =
| string
| RegExp
| { pattern: string | RegExp; name?: string };
type Options = {
wholeWords?: boolean;
unicodeBoundaries?: boolean;
};
type Match = {
pattern: number; // which regex matched
start: number; // UTF-16 code unit offset
end: number; // exclusive
text: string; // matched substring
name?: string; // pattern name (if provided)
};
Same Match type as
@stll/aho-corasick:
composable results, same UTF-16 offsets compatible
with String.prototype.slice().
Uses Rust regex syntax. Similar to PCRE but:
\d matches
Unicode digits, \w matches Unicode word chars)Full syntax: docs.rs/regex
Vite's dependency pre-bundler rewrites
import.meta.url, which breaks the relative
.wasm path emitted by the napi-rs loader. Import
the bundled plugin so the package is excluded from
pre-bundling:
// vite.config.ts
import stllWasm from "@stll/regex-set-wasm/vite";
export default {
plugins: [stllWasm()],
};
# Install dependencies
bun install
# Build native module (requires Rust toolchain)
bun run build
bun run build:js
# Run tests
bun test
bun run test:props
# Download benchmark corpora
bun run bench:download
# Run benchmark suites
bun run bench
bun run bench:fallback
# Lint & format
bun run lint
bun run format
# Rust quality gates
cargo clippy --all-targets --all-features -- -D warnings
cargo fmt --all -- --check
FAQs
Single-pass multi-pattern regex for Node.js/Bun. Backtracking-immune, Unicode-aware Rust engine via NAPI-RS.
The npm package @stll/regex-set receives a total of 224 weekly downloads. As such, @stll/regex-set popularity was classified as not popular.
We found that @stll/regex-set demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.