Regolith
A secure, Rust-backed regex engine for JavaScript and TypeScript. Drop-in RegExp replacement with linear worst-case performance.
ReDoS Immune
Protected against Regular Expression Denial of Service attacks
Linear Performance
Guaranteed linear worst-case time complexity
Drop-in Replacement
Compatible with existing RegExp usage patterns
What is Regolith?
Regolith is a next-generation regex engine that solves the fundamental security and performance issues of traditional regular expressions while maintaining full compatibility.
Traditional RegExp Vulnerabilities
Regular expressions in JavaScript can be vulnerable to ReDoS (Regular Expression Denial of Service) attacks, where carefully crafted input can cause exponential time complexity, freezing your application.
Patterns like (a+)+b can take exponentially longer to process as input size grows, making your app vulnerable to attacks.
This is a fundamental issue with backtracking-based regex engines used in most programming languages.
Vulnerable Code Example
// This can freeze your app!
const regex = /^(a+)+$/;
const malicious = 'a'.repeat(30) + 'x';
// Takes exponentially longer
regex.test(malicious); // 💥 Hangs!Regolith Solution
import { Regolith } from '@regolithjs/regolith';
// Same pattern, guaranteed safe
const regex = new Regolith('^(a+)+$');
const malicious = 'a'.repeat(30) + 'x';
// Always returns quickly âš¡
regex.test(malicious); // false (fast!)Rust-Powered Security
Regolith uses a finite automaton-based approach implemented in Rust, guaranteeing linear time complexity regardless of input or pattern complexity.
Built on Rust's memory-safe foundation with WebAssembly bindings, Regolith provides both security and performance without sacrificing compatibility.
Drop-in replacement for RegExp with the same API you already know and love.
O(n) Guaranteed
Linear time complexity for all operations, no matter how complex your patterns
ReDoS Immune
Complete protection against Regular Expression Denial of Service attacks
Drop-in Ready
Compatible API means minimal changes to your existing codebase
Why Choose Regolith?
Built for modern applications that need both security and performance
ReDoS Protection
Built-in protection against Regular Expression Denial of Service attacks. Your applications stay secure even with complex patterns.
Linear Performance
Guaranteed O(n+m) worst-case time complexity. No more exponential blowups that can crash your application.
Drop-in Replacement
Compatible API with JavaScript's RegExp. Minimal code changes required to upgrade your existing applications.
Rust-Powered Security
Built on Rust's memory-safe foundation, providing additional security guarantees beyond traditional regex engines.
Predictable Performance
Consistent performance characteristics make it ideal for production environments where reliability matters.
Open Source
Fully open source and community-driven. Contribute to the future of secure regex processing in JavaScript.
Get Started
Install Regolith and start building secure applications in minutes
Installation
Choose your preferred package manager
npm
npm install @regolithjs/regolithyarn
yarn add @regolithjs/regolithpnpm
pnpm add @regolithjs/regolithbun
bun add @regolithjs/regolithQuick Start
Basic usage example to get you started
import { Regolith } from '@regolithjs/regolith';
// Updated pattern: no anchors
const regex = new Regolith(
'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}',
'g'
);
// Test a single email string
const isValid = regex.test('user@example.com');
console.log(isValid); // true
// Find matches in a larger string
const matches = regex.exec('Contact us at support@example.com');
console.log(matches); // ['support@example.com']Code Examples
See Regolith in action with real-world use cases
Email Validation
Validate email addresses securely
import { Regolith } from '@regolithjs/regolith';
const emailRegex = new Regolith(
'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
);
function validateEmail(email) {
return emailRegex.test(email);
}
console.log(validateEmail('user@example.com')); // true
console.log(validateEmail('invalid-email')); // falseInput Sanitization
Safely validate user input patterns
import { Regolith } from '@regolithjs/regolith';
// Safe username validation - no ReDoS risk
const usernameRegex = new Regolith('^[a-zA-Z0-9_]{3,20}$');
// Safe password complexity check
const passwordRegex = new Regolith(
'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d@$!%*?&]{8,}$'
);
function validateUserInput(username, password) {
return {
validUsername: usernameRegex.test(username),
validPassword: passwordRegex.test(password)
};
}
console.log(validateUserInput('john_doe', 'SecurePass123'));
// { validUsername: true, validPassword: true }Migration from RegExp
Easy migration from native RegExp
// Before: Using native RegExp (vulnerable to ReDoS)
const oldRegex = new RegExp('(a+)+b');
// After: Using Regolith (ReDoS-safe)
import { Regolith } from '@regolithjs/regolith';
const newRegex = new Regolith('(a+)+b');
// Same API, better security
const testString = 'aaaaaaaaaaaaaaaaaaaaaaaab';
// Both work the same way
console.log(oldRegex.test(testString)); // true (but potentially slow)
console.log(newRegex.test(testString)); // true (guaranteed fast)
// Regolith prevents catastrophic backtracking
const maliciousInput = 'a'.repeat(1000) + 'x';
console.log(newRegex.test(maliciousInput)); // false (returns quickly)Join the Community
Regolith is early-stage and needs contributors. Help us build the future of secure regex processing.
Code Contributions
Help improve the core engine, add features, or fix bugs
Report Bugs
Found a bug? Help us improve by reporting it
Documentation
Help improve our docs, examples, and tutorials
Community Support
Help other users and share your knowledge
Ready to Contribute?
Whether you're a Rust expert, JavaScript developer, or documentation enthusiast, there's a place for you in the Regolith community.