Commit 6e65445 modified a bunch of regexes to try and implement redos mitigation, but without a lot of experience it can be hard to intuit that a regex is sensible (especially to polynomial attacks as they tend to be a bit subtle).
Since then, tools have appeared to try and find out if regexes are sensible to the issue (using both fuzzing and modelling).
https://makenowjust-labs.github.io/recheck/ is available as a javascript & scala library and should be reasonably easy to integrate into a CI script.
Commit 6e65445 modified a bunch of regexes to try and implement redos mitigation, but without a lot of experience it can be hard to intuit that a regex is sensible (especially to polynomial attacks as they tend to be a bit subtle).
Since then, tools have appeared to try and find out if regexes are sensible to the issue (using both fuzzing and modelling).
https://makenowjust-labs.github.io/recheck/ is available as a javascript & scala library and should be reasonably easy to integrate into a CI script.