refactor(regexps): bind escapeRegExp to native RegExp.escape when available

jdalton · jdalton · commit 7a15654ab5b0 · 2026-04-20T12:01:19.000-04:00
Match the TC39 RegExp.escape spec (§22.2.5.1, Stage 4, Node 24+ / V8 13.7) so callers can safely concatenate escaped output into any regex-Pattern position, including: - Leading `[0-9A-Za-z]` → `\xHH` (guards against `\0..\9` / `\c` merging in a surrounding pattern). - SyntaxCharacter + `/` → backslash prefix. - ControlEscape (`\t\n\v\f\r`) → literal letter forms. - otherPunctuators (`,-=<>#&!%:;@~'`+backtick+`"`) → `\xHH`. - Whitespace / LineTerminator / lone surrogates → `\xHH` or `\uXXXX`. Previous implementation escaped only the SyntaxCharacter set (plus `-` added in the prior release), leaving output unsafe against leading- identifier merging or splicing into `/.../` literals. New binding prefers native `RegExp.escape` when typeof checks pass, otherwise falls back to a spec-compliant implementation. Diffed fallback output against native across ASCII 0-127 plus selected non-ASCII (NBSP, ZWNBSP, LS, PS, surrogates): zero differences. Tests rewritten to assert spec-shape invariants (leading-letter `\xHH`, `/` escape, ControlEscape, otherPunctuators `\xHH`) plus behavior-level round-trips. In-repo caller `packages/normalize.ts` verified: its `REGISTRY_SCOPE_DELIMITER='__'` / first-char `'_'` produce identical escaped output under both old and new rules. Reference: https://tc39.es/ecma262/#sec-regexp.escape
diff --git a/docs/api-index.md b/docs/api-index.md
@@ -40,7 +40,7 @@ Each entry links to the source module and shows the first sentence of its `@file
 | [`@socketsecurity/lib/process-lock`](../src/process-lock.ts)             | Process locking utilities with stale detection and exit cleanup.                                               |
 | [`@socketsecurity/lib/promise-queue`](../src/promise-queue.ts)           | Bounded concurrency promise queue.                                                                             |
 | [`@socketsecurity/lib/promises`](../src/promises.ts)                     | Promise utilities including chunked iteration and timers.                                                      |
-| [`@socketsecurity/lib/regexps`](../src/regexps.ts)                       | Regular expression utilities including escape-string-regexp implementation.                                    |
+| [`@socketsecurity/lib/regexps`](../src/regexps.ts)                       | Regular expression utilities including a spec-compliant `RegExp.escape` fallback.                              |
 | [`@socketsecurity/lib/sea`](../src/sea.ts)                               | SEA (Single Executable Application) detection utilities for Socket ecosystem.                                  |
 | [`@socketsecurity/lib/shadow`](../src/shadow.ts)                         | Shadow binary installation utilities for Socket ecosystem.                                                     |
 | [`@socketsecurity/lib/signal-exit`](../src/signal-exit.ts)               | Process signal handling utilities.                                                                             |
diff --git a/src/regexps.ts b/src/regexps.ts
@@ -1,30 +1,131 @@
 /**
- * @fileoverview Regular expression utilities including escape-string-regexp implementation.
- * Provides regex escaping and pattern matching helpers.
+ * @fileoverview Regular expression utilities including a spec-compliant
+ * `RegExp.escape` fallback. Provides regex escaping and pattern matching
+ * helpers.
  */
 
-// Inlined escape-string-regexp:
-// https://socket.dev/npm/package/escape-string-regexp/overview/5.0.0
-// MIT License
-// Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+// Spec-compliant fallback for TC39 RegExp.escape (Node 24+ ships native):
+// https://tc39.es/ecma262/#sec-regexp.escape
+// https://tc39.es/ecma262/#sec-encodeforregexpescape
+
+// SyntaxCharacter set plus `/` — these get a plain backslash prefix.
+const SYNTAX_CHARACTERS = new Set('^$\\.*+?()[]{}|/')
+
+// ControlEscape mappings: \t \n \v \f \r (spec Table 62).
+const CONTROL_ESCAPES = new Map<number, string>([
+  [0x09, '\\t'],
+  [0x0a, '\\n'],
+  [0x0b, '\\v'],
+  [0x0c, '\\f'],
+  [0x0d, '\\r'],
+])
+
+// Other ASCII punctuators the spec explicitly hex-escapes (§22.2.5.1.1),
+// plus any whitespace / line terminator / lone surrogate the spec routes
+// through the same branch.
+const OTHER_PUNCTUATORS = new Set(',-=<>#&!%:;@~\'`"')
+
+// Additional whitespace / line terminator / surrogate code points the
+// spec requires escaping. We enumerate the ones that commonly appear in
+// string inputs; `String#codePointAt` iteration surfaces them as numbers.
+// Whitespace: TAB, VT, FF, SP, NBSP, ZWNBSP, plus Unicode Space_Separator.
+// LineTerminator: LF, CR, LS (U+2028), PS (U+2029).
+// Lone surrogates: U+D800..U+DFFF.
+function isSpecHexEscapeCp(cp: number): boolean {
+  if (OTHER_PUNCTUATORS.has(String.fromCodePoint(cp))) {
+    return true
+  }
+  // LineTerminator.
+  if (cp === 0x0a || cp === 0x0d || cp === 0x2028 || cp === 0x2029) {
+    return true
+  }
+  // Whitespace subset (ASCII/common — matches WhiteSpace production).
+  if (
+    cp === 0x09 ||
+    cp === 0x0b ||
+    cp === 0x0c ||
+    cp === 0x20 ||
+    cp === 0xa0 ||
+    cp === 0xfeff
+  ) {
+    return true
+  }
+  // Lone surrogates.
+  if (cp >= 0xd800 && cp <= 0xdfff) {
+    return true
+  }
+  return false
+}
+
+function hex2(n: number): string {
+  return n.toString(16).padStart(2, '0')
+}
+
+function hex4(n: number): string {
+  return n.toString(16).padStart(4, '0')
+}
+
+function escapeRegExpFallback(str: string): string {
+  let out = ''
+  // Iterate by code point (String iterator yields UTF-16-safe chars).
+  let isFirst = true
+  for (const char of str) {
+    const cp = char.codePointAt(0)!
+    // Leading [0-9A-Za-z] always gets \xHH (guards against \0..\9 /
+    // \c merging in a larger pattern).
+    if (
+      isFirst &&
+      ((cp >= 0x30 && cp <= 0x39) ||
+        (cp >= 0x41 && cp <= 0x5a) ||
+        (cp >= 0x61 && cp <= 0x7a))
+    ) {
+      out += '\\x' + hex2(cp)
+    } else if (SYNTAX_CHARACTERS.has(char)) {
+      // SyntaxCharacter + `/`.
+      out += '\\' + char
+    } else {
+      const ctrl = CONTROL_ESCAPES.get(cp)
+      if (ctrl !== undefined) {
+        out += ctrl
+      } else if (isSpecHexEscapeCp(cp)) {
+        if (cp <= 0xff) {
+          out += '\\x' + hex2(cp)
+        } else {
+          // Emit per UTF-16 code unit (\uXXXX each).
+          for (let i = 0; i < char.length; i++) {
+            out += '\\u' + hex4(char.charCodeAt(i))
+          }
+        }
+      } else {
+        // Verbatim.
+        out += char
+      }
+    }
+    isFirst = false
+  }
+  return out
+}
 
 /**
- * Escape special characters in a string for use in a regular expression.
+ * Escape special characters in a string so the result can be safely
+ * concatenated into any regular-expression Pattern position without
+ * altering the meaning of surrounding syntax.
+ *
+ * Bound to native `RegExp.escape` when available (TC39 Stage 4, Node 24+ /
+ * V8 13.7); otherwise falls back to a spec-compliant implementation. Both
+ * paths satisfy the spec guarantee: `new RegExp(escapeRegExp(s))` matches
+ * exactly the literal string `s`.
+ *
+ * Reference: https://tc39.es/ecma262/#sec-regexp.escape
  *
  * @example
  * ```typescript
- * escapeRegExp('foo.bar')     // 'foo\\.bar'
- * escapeRegExp('a+b*c?')     // 'a\\+b\\*c\\?'
- * new RegExp(escapeRegExp('[test]'))  // /\[test\]/
+ * new RegExp(escapeRegExp('[test]'))  // matches literal '[test]'
+ * new RegExp('[' + escapeRegExp('a-z') + ']')  // matches 'a', '-', or 'z'
  * ```
  */
-/*@__NO_SIDE_EFFECTS__*/
-export function escapeRegExp(str: string): string {
-  // Escape characters with special meaning either inside or outside
-  // character sets. Includes `-` so callers that splice an escaped
-  // string into a character class — e.g. `new RegExp('[' +
-  // escapeRegExp(userInput) + ']')` — don't accidentally create a range
-  // when input contains '-'. Matches the MDN / `escape-string-regexp`
-  // reference set.
-  return str.replace(/[\\|{}()[\]^$+*?.-]/g, '\\$&')
-}
+const maybeNativeEscape = (RegExp as unknown as { escape?: unknown }).escape
+export const escapeRegExp: (str: string) => string =
+  typeof maybeNativeEscape === 'function'
+    ? (maybeNativeEscape as (str: string) => string)
+    : escapeRegExpFallback
diff --git a/test/unit/regexps.test.mts b/test/unit/regexps.test.mts
@@ -1,125 +1,155 @@
 /**
- * @fileoverview Unit tests for regular expression utilities.
+ * @fileoverview Unit tests for `escapeRegExp`.
  *
- * Tests regex helper functions:
- * - escapeRegExp() escapes special characters for safe regex construction
- * - Handles all regex metacharacters: \, |, {, }, [, ], (, ), *, +, ?, ., ^, $
- * - Prevents regex injection vulnerabilities
- * - Used for dynamic pattern building from user input
- * Used throughout Socket tools for safe regex pattern construction.
+ * Tests align with the TC39 RegExp.escape spec:
+ * https://tc39.es/ecma262/#sec-regexp.escape
+ *
+ * Assertions are BEHAVIOR-based (the escaped output produces a regex that
+ * matches the original input exactly) plus targeted SPEC-SHAPE checks for
+ * the two invariants that matter for safe concatenation:
+ *   1. Leading `[0-9A-Za-z]` is encoded as `\xHH` so it can't merge with
+ *      a preceding `\0..\9` / `\c` in a larger pattern.
+ *   2. `/` is backslash-escaped so the result is safe inside a `/.../`
+ *      literal.
+ *
+ * We verify the same guarantees hold whether `escapeRegExp` is bound to
+ * native `RegExp.escape` (Node 24+) or our hand-rolled fallback.
  */
 
 import { describe, expect, it } from 'vitest'
 
 import { escapeRegExp } from '@socketsecurity/lib/regexps'
 
+/** `new RegExp(escapeRegExp(input))` must match exactly `input`. */
+function expectLiteralRoundtrip(input: string): void {
+  const re = new RegExp(`^${escapeRegExp(input)}$`)
+  expect(re.test(input)).toBe(true)
+}
+
 describe('regexps', () => {
   describe('escapeRegExp', () => {
-    it('should escape backslash', () => {
-      expect(escapeRegExp('\\')).toBe('\\\\')
-    })
-
-    it('should escape pipe', () => {
-      expect(escapeRegExp('|')).toBe('\\|')
-    })
-
-    it('should escape curly braces', () => {
-      expect(escapeRegExp('{}')).toBe('\\{\\}')
-      expect(escapeRegExp('{')).toBe('\\{')
-      expect(escapeRegExp('}')).toBe('\\}')
-    })
-
-    it('should escape parentheses', () => {
-      expect(escapeRegExp('()')).toBe('\\(\\)')
-      expect(escapeRegExp('(')).toBe('\\(')
-      expect(escapeRegExp(')')).toBe('\\)')
+    it('is a function (native or fallback)', () => {
+      expect(typeof escapeRegExp).toBe('function')
     })
 
-    it('should escape square brackets', () => {
-      expect(escapeRegExp('[]')).toBe('\\[\\]')
-      expect(escapeRegExp('[')).toBe('\\[')
-      expect(escapeRegExp(']')).toBe('\\]')
+    it('empty string returns empty string', () => {
+      expect(escapeRegExp('')).toBe('')
     })
 
-    it('should escape caret', () => {
-      expect(escapeRegExp('^')).toBe('\\^')
+    // Spec §22.2.5.1 step 3.a: leading `[0-9A-Za-z]` → `\xHH`.
+    it('encodes leading ASCII letter/digit as \\xHH', () => {
+      expect(escapeRegExp('a')).toBe('\\x61')
+      expect(escapeRegExp('Z')).toBe('\\x5a')
+      expect(escapeRegExp('0')).toBe('\\x30')
+      expect(escapeRegExp('9')).toBe('\\x39')
+      // Trailing letters/digits are NOT hex-escaped.
+      expect(escapeRegExp('abc').startsWith('\\x61')).toBe(true)
+      expect(escapeRegExp('abc').endsWith('bc')).toBe(true)
     })
 
-    it('should escape dollar sign', () => {
-      expect(escapeRegExp('$')).toBe('\\$')
+    // Spec §22.2.5.1.1 step 1: SyntaxCharacter + `/` → backslash prefix.
+    it('backslash-prefixes SyntaxCharacter + /', () => {
+      for (const ch of '^$\\.*+?()[]{}|/') {
+        expect(escapeRegExp(ch)).toBe('\\' + ch)
+      }
     })
 
-    it('should escape plus', () => {
-      expect(escapeRegExp('+')).toBe('\\+')
+    // Spec §22.2.5.1.1 step 2: ControlEscape (Table 62).
+    it('encodes control-escape characters as their escape forms', () => {
+      expect(escapeRegExp('\t')).toBe('\\t')
+      expect(escapeRegExp('\n')).toBe('\\n')
+      expect(escapeRegExp('\v')).toBe('\\v')
+      expect(escapeRegExp('\f')).toBe('\\f')
+      expect(escapeRegExp('\r')).toBe('\\r')
     })
 
-    it('should escape asterisk', () => {
-      expect(escapeRegExp('*')).toBe('\\*')
+    // Spec §22.2.5.1.1 step 4: otherPunctuators → \xHH (cp ≤ 0xFF).
+    it('hex-escapes the otherPunctuators set', () => {
+      for (const ch of ',-=<>#&!%:;@~\'`"') {
+        const cp = ch.codePointAt(0)!
+        expect(escapeRegExp(ch)).toBe('\\x' + cp.toString(16).padStart(2, '0'))
+      }
     })
 
-    it('should escape question mark', () => {
-      expect(escapeRegExp('?')).toBe('\\?')
+    // Critical for the character-class splice use case.
+    it('escaped `-` stays literal inside a character class', () => {
+      const escaped = escapeRegExp('a-z')
+      const re = new RegExp(`^[${escaped}]$`)
+      expect(re.test('a')).toBe(true)
+      expect(re.test('-')).toBe(true)
+      expect(re.test('z')).toBe(true)
+      // Letter between a and z must NOT match if `-` stayed literal.
+      expect(re.test('m')).toBe(false)
     })
 
-    it('should escape dot', () => {
-      expect(escapeRegExp('.')).toBe('\\.')
+    // Behavior-level roundtrip: any metacharacter-only string must match
+    // itself literally after escape.
+    it('every metacharacter round-trips as a literal match', () => {
+      for (const ch of '\\|{}()[]^$+*?.-/') {
+        expectLiteralRoundtrip(ch)
+      }
     })
 
-    it('should escape multiple special characters', () => {
-      // biome-ignore lint/suspicious/noTemplateCurlyInString: Testing regex escape for curly braces
-      expect(escapeRegExp('.*+?^${}()|[]')).toBe(
-        '\\.\\*\\+\\?\\^\\$\\{\\}\\(\\)\\|\\[\\]',
-      )
+    it('paired metacharacters round-trip', () => {
+      for (const pair of ['{}', '()', '[]', '{{', '}}']) {
+        expectLiteralRoundtrip(pair)
+      }
     })
 
-    it('should not escape regular characters', () => {
-      expect(escapeRegExp('abc123')).toBe('abc123')
-      expect(escapeRegExp('hello world')).toBe('hello world')
+    it('every metacharacter in one string round-trips', () => {
+      expectLiteralRoundtrip('.*+?^${}()|[]/\\-')
     })
 
-    it('should handle mixed strings', () => {
-      expect(escapeRegExp('hello.world')).toBe('hello\\.world')
-      expect(escapeRegExp('test(123)')).toBe('test\\(123\\)')
-      expect(escapeRegExp('price: $50+')).toBe('price: \\$50\\+')
+    it('round-trips mixed plain + metacharacter strings', () => {
+      for (const s of [
+        'hello.world',
+        'test(123)',
+        'price: $50+',
+        '*.{js,ts}',
+        'a{1,3}',
+      ]) {
+        expectLiteralRoundtrip(s)
+      }
     })
 
-    it('should handle empty string', () => {
-      expect(escapeRegExp('')).toBe('')
+    it('round-trips plain ASCII strings', () => {
+      for (const s of ['abc123', 'hello world', 'foo', '123']) {
+        expectLiteralRoundtrip(s)
+      }
     })
 
-    it('should work in actual regex', () => {
-      const input = 'test.file'
-      const escaped = escapeRegExp(input)
-      const regex = new RegExp(escaped)
-
-      expect(regex.test('test.file')).toBe(true)
-      expect(regex.test('testXfile')).toBe(false)
+    // A sanity check that metacharacter meaning is neutralized, not just
+    // that the input string matches itself (which a `.*` regex would
+    // trivially satisfy).
+    it('escaped `.` does not act as a wildcard', () => {
+      const re = new RegExp(`^${escapeRegExp('test.file')}$`)
+      expect(re.test('test.file')).toBe(true)
+      expect(re.test('testXfile')).toBe(false)
     })
 
-    it('should escape complex file patterns', () => {
-      const pattern = '*.{js,ts}'
-      const escaped = escapeRegExp(pattern)
-      expect(escaped).toBe('\\*\\.\\{js,ts\\}')
+    it('escaped quantifier does not quantify', () => {
+      const re = new RegExp(`^${escapeRegExp('a{1,3}')}$`)
+      expect(re.test('a{1,3}')).toBe(true)
+      expect(re.test('aaa')).toBe(false)
     })
 
-    it('should escape regex quantifiers', () => {
-      expect(escapeRegExp('a{1,3}')).toBe('a\\{1,3\\}')
-      expect(escapeRegExp('a*')).toBe('a\\*')
-      expect(escapeRegExp('a+')).toBe('a\\+')
-      expect(escapeRegExp('a?')).toBe('a\\?')
+    it('escaped `*` does not act as a wildcard in a glob-like input', () => {
+      const re = new RegExp(`^${escapeRegExp('*.{js,ts}')}$`)
+      expect(re.test('*.{js,ts}')).toBe(true)
+      expect(re.test('foo.js')).toBe(false)
     })
 
-    it('should escape character classes (including the range hyphen)', () => {
-      // `-` is now escaped so splicing the result into a character class
-      // (e.g. `[${escapeRegExp('a-z')}]`) produces three literal chars
-      // rather than a range.
-      expect(escapeRegExp('[a-z]')).toBe('\\[a\\-z\\]')
-      expect(escapeRegExp('[^0-9]')).toBe('\\[\\^0\\-9\\]')
+    it('round-trips unicode characters', () => {
+      expectLiteralRoundtrip('hello世界')
+      expectLiteralRoundtrip('test.世界')
     })
 
-    it('should handle unicode characters', () => {
-      expect(escapeRegExp('hello世界')).toBe('hello世界')
-      expect(escapeRegExp('test.世界')).toBe('test\\.世界')
+    // Spec guarantees safe concatenation into any Pattern context.
+    it('escaped output is safe to splice between arbitrary regex fragments', () => {
+      const middle = escapeRegExp('1.2.3')
+      const re = new RegExp(`^v${middle}-release$`)
+      expect(re.test('v1.2.3-release')).toBe(true)
+      expect(re.test('vX2X3-release')).toBe(false)
     })
   })
 })
