[GHSA-6g33-8w2q-4hxv] robots-txt-guard Inefficient Regular Expression Complexity vulnerability by Wenxin-Jiang · Pull Request #7452 · github/advisory-database

Wenxin-Jiang · 2026-04-20T14:41:02Z

Updates

Comments

Fix commit c03827cd shipped in 1.0.0: the commit itself bumps package.json from 0.2.1 → 1.0.0 (it's the release commit, not a post-release fix).
1.0.0 lib/patterns.js line 41 already contains .split(/*+/) — the exact fix.
1.0.1 and 1.0.2 lib/patterns.js are byte-identical (sha256 3dcd68…).
The 1.0.0 → 1.0.1 diff is a non-security refactor: wraps the regex path in if (pattern.includes('*') || pattern.endsWith('$')) and adds a startsWith fast path for literal patterns. Same .split(/*+/)
— no ReDoS change.

Improve GHSA-6g33-8w2q-4hxv

584348e

github-actions bot changed the base branch from main to Wenxin-Jiang/advisory-improvement-7452 April 20, 2026 14:42

Provide feedback