Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
compose-regexp
Advanced tools
Build and compose maintainable regular expressions in JavaScript.
Regular expressions don't do justice to regular grammars.
ed
and grep
.This makes complex RegExps hard to read, debug and modify...
compose-regexp
to the rescue!
It doesn't make regular grammars more powerful, they are still fundamentally limited, but since they are ubiquitous, we may as well have better tooling to implement them...
$ npm install --save compose-regexp
import {
sequence, either, capture,
ref, greedy, flags, avoid
} from "compose-regexp"; // can be required too
// the example that made me write this, in order to ~lex JS.
// It matches braces in source code, but skips comments and strings.
let matcher = flags('gm',
either(
sequence(
capture(/['"`]/),
greedy('*', // a greedy zero-or-more repetition
either(
sequence('\\', ref(1)),
'\\\\',
sequence(avoid(ref(1)), /[\s\S]/)
)
),
ref(1)
),
sequence(
'/*',
greedy('*',
avoid('*/'),
/[\s\S]/
),
'*/'
),
sequence('//', /[^\n]*\n/),
capture(either(/[{}]/, '}}'))
)
);
// matcher:
/(?:(['"`])(?:(?:\\\1|\\\\|(?!\1)[\s\S]))*\1|\/\*(?:(?!\*\/)[\s\S])*\*\/|\/\/[^\n]*\n|((?:[{}]|\}\})))/gm
// The most astute among you may have noticed that regexes in the subject string
// would still trip that parser. Not perfect, but still useful.
The regexp
parameters of these functions can be either RegExps or strings.
Special characters in strings are escaped, so that '.*'
is equivalent to /\.\*/
.
Therefore:
> sequence('.', '*').source
'\\.\\*'
The flags of intermediate regexps are ignored, and always reset to false unless set by flags()
.
> flags('gm', /a/)
/a/gm
> either(/a/, /b/, /c/)
/(?:a|b|c)/
> sequence(/a/, /b/, /c/)
/abc/
> group(/a/, /b/, /c/)
/(?:abc)/
> lookAhead(/a/, /b/, /c/)
/(?=abc)/
Negative look ahead
> avoid(/a/, /b/, /c/)
/(?!abc)/
Valid suffixes: (?
, *
, +
, {n}
, {n,}
and {m, n}
)
> greedy("*", either(/a/, /b/, /c/))
/(?:a|b|c)*/
> maybe = greedy('?'); maybe(either('a', 'b'))
/(?:a|b)?/
Like greedy()
but for non-greedy operators (??
, *?
, +?
, {n}?
, {n,}?
and {m, n}?
).
> frugal("{1,3}", either(/a/, /b/, /c/))
/(?:a|b|c){1,3}?/
> capture(/a/, /b/, /c/)
/(abc)/
> ref(1)
/\1/
Caveat emptor, references are absolute. Therefore, refs may be broken if you compose two regexps that use captures.
stringMatcher = sequence(
capture(/['"`]/),
greedy('*', // a greedy zero-or-more repetition
either(
sequence('\\', ref(1)),
'\\\\',
sequence(avoid(ref(1)), /[\s\S]/)
)
),
ref(1)
)
whooops = sequence(
capture('foo'),
stringMatcher
)
In whoops
, the ref(1)
in stringMatcher actually refers to foo
, not the opening quote.
Fixing this would require an approach far more complex than what I'm doing now (concat the regexps source).
This tool is very simple under the hood and its output is not optimised for either size or speed. For example, you may find that some non-capturing groups are superfluous. Getting rid of these would require parsing the regexps under the hood to simplify them, and it is beyond the scope of this project at this time.
The MIT License (MIT)
Copyright (c) 2016 Pierre-Yves Gérardy
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
A set of functions to build and compose complex regular expressions
The npm package compose-regexp receives a total of 683 weekly downloads. As such, compose-regexp popularity was classified as not popular.
We found that compose-regexp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.