More information
#### Details
The Rust Security Response WG was notified that the `regex` crate did not
properly limit the complexity of the regular expressions (regex) it parses. An
attacker could use this security issue to perform a denial of service, by
sending a specially crafted regex to a service accepting untrusted regexes. No
known vulnerability is present when parsing untrusted input with trusted
regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability
is "high" when the `regex` crate is used to parse untrusted regexes. Other uses
of the `regex` crate are not affected by this vulnerability.
##### Overview
The `regex` crate features built-in mitigations to prevent denial of service
attacks caused by untrusted regexes, or untrusted input matched by trusted
regexes. Those (tunable) mitigations already provide sane defaults to prevent
attacks. This guarantee is documented and it's considered part of the crate's
API.
Unfortunately a bug was discovered in the mitigations designed to prevent
untrusted regexes to take an arbitrary amount of time during parsing, and it's
possible to craft regexes that bypass such mitigations. This makes it possible
to perform denial of service attacks by sending specially crafted regexes to
services accepting user-controlled, untrusted regexes.
##### Affected versions
All versions of the `regex` crate before or equal to 1.5.4 are affected by this
issue. The fix is include starting from `regex` 1.5.5.
##### Mitigations
We recommend everyone accepting user-controlled regexes to upgrade immediately
to the latest version of the `regex` crate.
Unfortunately there is no fixed set of problematic regexes, as there are
practically infinite regexes that could be crafted to exploit this
vulnerability. Because of this, we do not recommend denying known problematic
regexes.
##### Acknowledgements
We want to thank Addison Crump for responsibly disclosing this to us according
to the [Rust security policy][1], and for helping review the fix.
We also want to thank Andrew Gallant for developing the fix, and Pietro Albini
for coordinating the disclosure and writing this advisory.
[1]: https://www.rust-lang.org/policies/security
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
#### References
- [https://crates.io/crates/regex](https://crates.io/crates/regex)
- [https://rustsec.org/advisories/RUSTSEC-2022-0013.html](https://rustsec.org/advisories/RUSTSEC-2022-0013.html)
- [https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw](https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw)
This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2022-0013) and the [Rust Advisory Database](https://togithub.com/RustSec/advisory-db) ([CC0 1.0](https://togithub.com/rustsec/advisory-db/blob/main/LICENSE.txt)).
Rust's regex crate vulnerable to regular expression denial of service
More information
#### Details
> This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.
[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.
##### Overview
The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.
Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.
##### Affected versions
All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.
##### Mitigations
We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.
Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.
##### Acknowledgements
We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.
We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
#### References
- [https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8](https://togithub.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8)
- [https://nvd.nist.gov/vuln/detail/CVE-2022-24713](https://nvd.nist.gov/vuln/detail/CVE-2022-24713)
- [https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e](https://togithub.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e)
- [https://github.com/rust-lang/regex](https://togithub.com/rust-lang/regex)
- [https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw](https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw)
- [https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html](https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html)
- [https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html](https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ)
- [https://rustsec.org/advisories/RUSTSEC-2022-0013.html](https://rustsec.org/advisories/RUSTSEC-2022-0013.html)
- [https://security.gentoo.org/glsa/202208-08](https://security.gentoo.org/glsa/202208-08)
- [https://security.gentoo.org/glsa/202208-14](https://security.gentoo.org/glsa/202208-14)
- [https://www.debian.org/security/2022/dsa-5113](https://www.debian.org/security/2022/dsa-5113)
- [https://www.debian.org/security/2022/dsa-5118](https://www.debian.org/security/2022/dsa-5118)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Release Notes
rust-lang/regex (regex)
### [`v1.10.4`](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4)
### [`v1.10.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1103-2024-01-21)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.2...1.10.3)
\===================
This is a new patch release that fixes the feature configuration of optional
dependencies, and fixes an unsound use of bounds check elision.
Bug fixes:
- [BUG #1147](https://togithub.com/rust-lang/regex/issues/1147):
Set `default-features=false` for the `memchr` and `aho-corasick` dependencies.
- [BUG #1154](https://togithub.com/rust-lang/regex/pull/1154):
Fix unsound bounds check elision.
### [`v1.10.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1102-2023-10-16)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.1...1.10.2)
\===================
This is a new patch release that fixes a search regression where incorrect
matches could be reported.
Bug fixes:
- [BUG #1110](https://togithub.com/rust-lang/regex/issues/1110):
Revert broadening of reverse suffix literal optimization introduced in 1.10.1.
### [`v1.10.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1101-2023-10-14)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.0...1.10.1)
\===================
This is a new patch release with a minor increase in the number of valid
patterns and a broadening of some literal optimizations.
New features:
- [FEATURE 04f5d7be](https://togithub.com/rust-lang/regex/commit/04f5d7be4efc542864cc400f5d43fbea4eb9bab6):
Loosen ASCII-compatible rules such that regexes like `(?-u:☃)` are now allowed.
Performance improvements:
- [PERF 8a8d599f](https://togithub.com/rust-lang/regex/commit/8a8d599f9d2f2d78e9ad84e4084788c2d563afa5):
Broader the reverse suffix optimization to apply in more cases.
### [`v1.10.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1100-2023-10-09)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.6...1.10.0)
\===================
This is a new minor release of `regex` that adds support for start and end
word boundary assertions. That is, `\<` and `\>`. The minimum supported Rust
version has also been raised to 1.65, which was released about one year ago.
The new word boundary assertions are:
- `\<` or `\b{start}`: a Unicode start-of-word boundary (`\W|\A` on the left,
`\w` on the right).
- `\>` or `\b{end}`: a Unicode end-of-word boundary (`\w` on the left, `\W|\z`
on the right)).
- `\b{start-half}`: half of a Unicode start-of-word boundary (`\W|\A` on the
left).
- `\b{end-half}`: half of a Unicode end-of-word boundary (`\W|\z` on the
right).
The `\<` and `\>` are GNU extensions to POSIX regexes. They have been added
to the `regex` crate because they enjoy somewhat broad support in other regex
engines as well (for example, vim). The `\b{start}` and `\b{end}` assertions
are aliases for `\<` and `\>`, respectively.
The `\b{start-half}` and `\b{end-half}` assertions are not found in any
other regex engine (although regex engines with general look-around support
can certainly express them). They were added principally to support the
implementation of word matching in grep programs, where one generally wants to
be a bit more flexible in what is considered a word boundary.
New features:
- [FEATURE #469](https://togithub.com/rust-lang/regex/issues/469):
Add support for `\<` and `\>` word boundary assertions.
- [FEATURE(regex-automata) #1031](https://togithub.com/rust-lang/regex/pull/1031):
DFAs now have a `start_state` method that doesn't use an `Input`.
Performance improvements:
- [PERF #1051](https://togithub.com/rust-lang/regex/pull/1051):
Unicode character class operations have been optimized in `regex-syntax`.
- [PERF #1090](https://togithub.com/rust-lang/regex/issues/1090):
Make patterns containing lots of literal characters use less memory.
Bug fixes:
- [BUG #1046](https://togithub.com/rust-lang/regex/issues/1046):
Fix a bug that could result in incorrect match spans when using a Unicode word
boundary and searching non-ASCII strings.
- [BUG(regex-syntax) #1047](https://togithub.com/rust-lang/regex/issues/1047):
Fix panics that can occur in `Ast->Hir` translation (not reachable from `regex`
crate).
- [BUG(regex-syntax) #1088](https://togithub.com/rust-lang/regex/issues/1088):
Remove guarantees in the API that connect the `u` flag with a specific HIR
representation.
`regex-automata` breaking change release:
This release includes a `regex-automata 0.4.0` breaking change release, which
was necessary in order to support the new word boundary assertions. For
example, the `Look` enum has new variants and the `LookSet` type now uses `u32`
instead of `u16` to represent a bitset of look-around assertions. These are
overall very minor changes, and most users of `regex-automata` should be able
to move to `0.4` from `0.3` without any changes at all.
`regex-syntax` breaking change release:
This release also includes a `regex-syntax 0.8.0` breaking change release,
which, like `regex-automata`, was necessary in order to support the new word
boundary assertions. This release also includes some changes to the `Ast`
type to reduce heap usage in some cases. If you are using the `Ast` type
directly, your code may require some minor modifications. Otherwise, users of
`regex-syntax 0.7` should be able to migrate to `0.8` without any code changes.
`regex-lite` release:
The `regex-lite 0.1.1` release contains support for the new word boundary
assertions. There are no breaking changes.
### [`v1.9.6`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#196-2023-09-30)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.5...1.9.6)
\==================
This is a patch release that fixes a panic that can occur when the default
regex size limit is increased to a large number.
- [BUG aa4e4c71](https://togithub.com/rust-lang/regex/commit/aa4e4c7120b0090ce0624e3c42a2ed06dd8b918a):
Fix a bug where computing the maximum haystack length for the bounded
backtracker could result underflow and thus provoke a panic later in a search
due to a broken invariant.
### [`v1.9.5`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#195-2023-09-02)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.4...1.9.5)
\==================
This is a patch release that hopefully mostly fixes a performance bug that
occurs when sharing a regex across multiple threads.
Issue [#934](https://togithub.com/rust-lang/regex/issues/934)
explains this in more detail. It is [also noted in the crate
documentation](https://docs.rs/regex/latest/regex/#sharing-a-regex-across-threads-can-result-in-contention).
The bug can appear when sharing a regex across multiple threads simultaneously,
as might be the case when using a regex from a `OnceLock`, `lazy_static` or
similar primitive. Usually high contention only results when using many threads
to execute searches on small haystacks.
One can avoid the contention problem entirely through one of two methods.
The first is to use lower level APIs from `regex-automata` that require passing
state explicitly, such as [`meta::Regex::search_with`](https://docs.rs/regex-automata/latest/regex_automata/meta/struct.Regex.html#method.search_with).
The second is to clone a regex and send it to other threads explicitly. This
will not use any additional memory usage compared to sharing the regex. The
only downside of this approach is that it may be less convenient, for example,
it won't work with things like `OnceLock` or `lazy_static` or `once_cell`.
With that said, as of this release, the contention performance problems have
been greatly reduced. This was achieved by changing the free-list so that it
was sharded across threads, and that ensuring each sharded mutex occupies a
single cache line to mitigate false sharing. So while contention may still
impact performance in some cases, it should be a lot better now.
Because of the changes to how the free-list works, please report any issues you
find with this release. That not only includes search time regressions but also
significant regressions in memory usage. Reporting improvements is also welcome
as well! If possible, provide a reproduction.
Bug fixes:
- [BUG #934](https://togithub.com/rust-lang/regex/issues/934):
Fix a performance bug where high contention on a single regex led to massive
slow downs.
### [`v1.9.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#194-2023-08-26)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.3...1.9.4)
\==================
This is a patch release that fixes a bug where `RegexSet::is_match(..)` could
incorrectly return false (even when `RegexSet::matches(..).matched_any()`
returns true).
Bug fixes:
- [BUG #1070](https://togithub.com/rust-lang/regex/issues/1070):
Fix a bug where a prefilter was incorrectly configured for a `RegexSet`.
### [`v1.9.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#193-2023-08-05)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.2...1.9.3)
\==================
This is a patch release that fixes a bug where some searches could result in
incorrect match offsets being reported. It is difficult to characterize the
types of regexes susceptible to this bug. They generally involve patterns
that contain no prefix or suffix literals, but have an inner literal along with
a regex prefix that can conditionally match.
Bug fixes:
- [BUG #1060](https://togithub.com/rust-lang/regex/issues/1060):
Fix a bug with the reverse inner literal optimization reporting incorrect match
offsets.
### [`v1.9.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#192-2023-08-05)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.1...1.9.2)
\==================
This is a patch release that fixes another memory usage regression. This
particular regression occurred only when using a `RegexSet`. In some cases,
much more heap memory (by one or two orders of magnitude) was allocated than in
versions prior to 1.9.0.
Bug fixes:
- [BUG #1059](https://togithub.com/rust-lang/regex/issues/1059):
Fix a memory usage regression when using a `RegexSet`.
### [`v1.9.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#191-2023-07-07)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.0...1.9.1)
\==================
This is a patch release which fixes a memory usage regression. In the regex
1.9 release, one of the internal engines used a more aggressive allocation
strategy than what was done previously. This patch release reverts to the
prior on-demand strategy.
Bug fixes:
- [BUG #1027](https://togithub.com/rust-lang/regex/issues/1027):
Change the allocation strategy for the backtracker to be less aggressive.
### [`v1.9.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#190-2023-07-05)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.4...1.9.0)
\==================
This release marks the end of a [years long rewrite of the regex crate
internals](https://togithub.com/rust-lang/regex/issues/656). Since this is
such a big release, please report any issues or regressions you find. We would
also love to hear about improvements as well.
In addition to many internal improvements that should hopefully result in
"my regex searches are faster," there have also been a few API additions:
- A new `Captures::extract` method for quickly accessing the substrings
that match each capture group in a regex.
- A new inline flag, `R`, which enables CRLF mode. This makes `.` match any
Unicode scalar value except for `\r` and `\n`, and also makes `(?m:^)` and
`(?m:$)` match after and before both `\r` and `\n`, respectively, but never
between a `\r` and `\n`.
- `RegexBuilder::line_terminator` was added to further customize the line
terminator used by `(?m:^)` and `(?m:$)` to be any arbitrary byte.
- The `std` Cargo feature is now actually optional. That is, the `regex` crate
can be used without the standard library.
- Because `regex 1.9` may make binary size and compile times even worse, a
new experimental crate called `regex-lite` has been published. It prioritizes
binary size and compile times over functionality (like Unicode) and
performance. It shares no code with the `regex` crate.
New features:
- [FEATURE #244](https://togithub.com/rust-lang/regex/issues/244):
One can opt into CRLF mode via the `R` flag.
e.g., `(?mR:$)` matches just before `\r\n`.
- [FEATURE #259](https://togithub.com/rust-lang/regex/issues/259):
Multi-pattern searches with offsets can be done with `regex-automata 0.3`.
- [FEATURE #476](https://togithub.com/rust-lang/regex/issues/476):
`std` is now an optional feature. `regex` may be used with only `alloc`.
- [FEATURE #644](https://togithub.com/rust-lang/regex/issues/644):
`RegexBuilder::line_terminator` configures how `(?m:^)` and `(?m:$)` behave.
- [FEATURE #675](https://togithub.com/rust-lang/regex/issues/675):
Anchored search APIs are now available in `regex-automata 0.3`.
- [FEATURE #824](https://togithub.com/rust-lang/regex/issues/824):
Add new `Captures::extract` method for easier capture group access.
- [FEATURE #961](https://togithub.com/rust-lang/regex/issues/961):
Add `regex-lite` crate with smaller binary sizes and faster compile times.
- [FEATURE #1022](https://togithub.com/rust-lang/regex/pull/1022):
Add `TryFrom` implementations for the `Regex` type.
Performance improvements:
- [PERF #68](https://togithub.com/rust-lang/regex/issues/68):
Added a one-pass DFA engine for faster capture group matching.
- [PERF #510](https://togithub.com/rust-lang/regex/issues/510):
Inner literals are now used to accelerate searches, e.g., `\w+@\w+` will scan
for `@`.
- [PERF #787](https://togithub.com/rust-lang/regex/issues/787),
[PERF #891](https://togithub.com/rust-lang/regex/issues/891):
Makes literal optimizations apply to regexes of the form `\b(foo|bar|quux)\b`.
(There are many more performance improvements as well, but not all of them have
specific issues devoted to them.)
Bug fixes:
- [BUG #429](https://togithub.com/rust-lang/regex/issues/429):
Fix matching bugs related to `\B` and inconsistencies across internal engines.
- [BUG #517](https://togithub.com/rust-lang/regex/issues/517):
Fix matching bug with capture groups.
- [BUG #579](https://togithub.com/rust-lang/regex/issues/579):
Fix matching bug with word boundaries.
- [BUG #779](https://togithub.com/rust-lang/regex/issues/779):
Fix bug where some regexes like `(re)+` were not equivalent to `(re)(re)*`.
- [BUG #850](https://togithub.com/rust-lang/regex/issues/850):
Fix matching bug inconsistency between NFA and DFA engines.
- [BUG #921](https://togithub.com/rust-lang/regex/issues/921):
Fix matching bug where literal extraction got confused by `$`.
- [BUG #976](https://togithub.com/rust-lang/regex/issues/976):
Add documentation to replacement routines about dealing with fallibility.
- [BUG #1002](https://togithub.com/rust-lang/regex/issues/1002):
Use corpus rejection in fuzz testing.
### [`v1.8.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#184-2023-06-05)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.3...1.8.4)
\==================
This is a patch release that fixes a bug where `(?-u:\B)` was allowed in
Unicode regexes, despite the fact that the current matching engines can report
match offsets between the code units of a single UTF-8 encoded codepoint. That
in turn means that match offsets that split a codepoint could be reported,
which in turn results in panicking when one uses them to slice a `&str`.
This bug occurred in the transition to `regex 1.8` because the underlying
syntactical error that prevented this regex from compiling was intentionally
removed. That's because `(?-u:\B)` will be permitted in Unicode regexes in
`regex 1.9`, but the matching engines will guarantee to never report match
offsets that split a codepoint. When the underlying syntactical error was
removed, no code was added to ensure that `(?-u:\B)` didn't compile in the
`regex 1.8` transition release. This release, `regex 1.8.4`, adds that code
such that `Regex::new(r"(?-u:\B)")` returns to the `regex <1.8` behavior of
not compiling. (A `bytes::Regex` can still of course compile it.)
Bug fixes:
- [BUG #1006](https://togithub.com/rust-lang/regex/issues/1006):
Fix a bug where `(?-u:\B)` was allowed in Unicode regexes, and in turn could
lead to match offsets that split a codepoint in `&str`.
### [`v1.8.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#183-2023-05-25)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.2...1.8.3)
\==================
This is a patch release that fixes a bug where the regex would report a
match at every position even when it shouldn't. This could occur in a very
small subset of regexes, usually an alternation of simple literals that
have particular properties. (See the issue linked below for a more precise
description.)
Bug fixes:
- [BUG #999](https://togithub.com/rust-lang/regex/issues/999):
Fix a bug where a match at every position is erroneously reported.
### [`v1.8.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#182-2023-05-22)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.1...1.8.2)
\==================
This is a patch release that fixes a bug where regex compilation could panic
in debug mode for regexes with large counted repetitions. For example,
`a{2147483516}{2147483416}{5}` resulted in an integer overflow that wrapped
in release mode but panicking in debug mode. Despite the unintended wrapping
arithmetic in release mode, it didn't cause any other logical bugs since the
errant code was for new analysis that wasn't used yet.
Bug fixes:
- [BUG #995](https://togithub.com/rust-lang/regex/issues/995):
Fix a bug where regex compilation with large counted repetitions could panic.
### [`v1.8.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#181-2023-04-21)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.0...1.8.1)
\==================
This is a patch release that fixes a bug where a regex match could be reported
where none was found. Specifically, the bug occurs when a pattern contains some
literal prefixes that could be extracted *and* an optional word boundary in the
prefix.
Bug fixes:
- [BUG #981](https://togithub.com/rust-lang/regex/issues/981):
Fix a bug where a word boundary could interact with prefix literal
optimizations and lead to a false positive match.
### [`v1.8.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#180-2023-04-20)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.7.3...1.8.0)
\==================
This is a sizeable release that will be soon followed by another sizeable
release. Both of them will combined close over 40 existing issues and PRs.
This first release, despite its size, essentially represents preparatory work
for the second release, which will be even bigger. Namely, this release:
- Increases the MSRV to Rust 1.60.0, which was released about 1 year ago.
- Upgrades its dependency on `aho-corasick` to the recently released 1.0
version.
- Upgrades its dependency on `regex-syntax` to the simultaneously released
`0.7` version. The changes to `regex-syntax` principally revolve around a
rewrite of its literal extraction code and a number of simplifications and
optimizations to its high-level intermediate representation (HIR).
The second release, which will follow ~shortly after the release above, will
contain a soup-to-nuts rewrite of every regex engine. This will be done by
bringing [`regex-automata`](https://togithub.com/BurntSushi/regex-automata) into
this repository, and then changing the `regex` crate to be nothing but an API
shim layer on top of `regex-automata`'s API.
These tandem releases are the culmination of about 3
years of on-and-off work that [began in earnest in March
2020](https://togithub.com/rust-lang/regex/issues/656).
Because of the scale of changes involved in these releases, I would love to
hear about your experience. Especially if you notice undocumented changes in
behavior or performance changes (positive *or* negative).
Most changes in the first release are listed below. For more details, please
see the commit log, which reflects a linear and decently documented history
of all changes.
New features:
- [FEATURE #501](https://togithub.com/rust-lang/regex/issues/501):
Permit many more characters to be escaped, even if they have no significance.
More specifically, any ASCII character except for `[0-9A-Za-z<>]` can now be
escaped. Also, a new routine, `is_escapeable_character`, has been added to
`regex-syntax` to query whether a character is escapeable or not.
- [FEATURE #547](https://togithub.com/rust-lang/regex/issues/547):
Add `Regex::captures_at`. This fills a hole in the API, but doesn't otherwise
introduce any new expressive power.
- [FEATURE #595](https://togithub.com/rust-lang/regex/issues/595):
Capture group names are now Unicode-aware. They can now begin with either a `_`
or any "alphabetic" codepoint. After the first codepoint, subsequent codepoints
can be any sequence of alpha-numeric codepoints, along with `_`, `.`, `[` and
`]`. Note that replacement syntax has not changed.
- [FEATURE #810](https://togithub.com/rust-lang/regex/issues/810):
Add `Match::is_empty` and `Match::len` APIs.
- [FEATURE #905](https://togithub.com/rust-lang/regex/issues/905):
Add an `impl Default for RegexSet`, with the default being the empty set.
- [FEATURE #908](https://togithub.com/rust-lang/regex/issues/908):
A new method, `Regex::static_captures_len`, has been added which returns the
number of capture groups in the pattern if and only if every possible match
always contains the same number of matching groups.
- [FEATURE #955](https://togithub.com/rust-lang/regex/issues/955):
Named captures can now be written as `(?re)` in addition to
`(?Pre)`.
- FEATURE: `regex-syntax` now supports empty character classes.
- FEATURE: `regex-syntax` now has an optional `std` feature. (This will come
to `regex` in the second release.)
- FEATURE: The `Hir` type in `regex-syntax` has had a number of simplifications
made to it.
- FEATURE: `regex-syntax` has support for a new `R` flag for enabling CRLF
mode. This will be supported in `regex` proper in the second release.
- FEATURE: `regex-syntax` now has proper support for "regex that never
matches" via `Hir::fail()`.
- FEATURE: The `hir::literal` module of `regex-syntax` has been completely
re-worked. It now has more documentation, examples and advice.
- FEATURE: The `allow_invalid_utf8` option in `regex-syntax` has been renamed
to `utf8`, and the meaning of the boolean has been flipped.
Performance improvements:
- PERF: The upgrade to `aho-corasick 1.0` may improve performance in some
cases. It's difficult to characterize exactly which patterns this might impact,
but if there are a small number of longish (>= 4 bytes) prefix literals, then
it might be faster than before.
Bug fixes:
- [BUG #514](https://togithub.com/rust-lang/regex/issues/514):
Improve `Debug` impl for `Match` so that it doesn't show the entire haystack.
- BUGS [#516](https://togithub.com/rust-lang/regex/issues/516),
[#731](https://togithub.com/rust-lang/regex/issues/731):
Fix a number of issues with printing `Hir` values as regex patterns.
- [BUG #610](https://togithub.com/rust-lang/regex/issues/610):
Add explicit example of `foo|bar` in the regex syntax docs.
- [BUG #625](https://togithub.com/rust-lang/regex/issues/625):
Clarify that `SetMatches::len` does not (regretably) refer to the number of
matches in the set.
- [BUG #660](https://togithub.com/rust-lang/regex/issues/660):
Clarify "verbose mode" in regex syntax documentation.
- BUG [#738](https://togithub.com/rust-lang/regex/issues/738),
[#950](https://togithub.com/rust-lang/regex/issues/950):
Fix `CaptureLocations::get` so that it never panics.
- [BUG #747](https://togithub.com/rust-lang/regex/issues/747):
Clarify documentation for `Regex::shortest_match`.
- [BUG #835](https://togithub.com/rust-lang/regex/issues/835):
Fix `\p{Sc}` so that it is equivalent to `\p{Currency_Symbol}`.
- [BUG #846](https://togithub.com/rust-lang/regex/issues/846):
Add more clarifying documentation to the `CompiledTooBig` error variant.
- [BUG #854](https://togithub.com/rust-lang/regex/issues/854):
Clarify that `regex::Regex` searches as if the haystack is a sequence of
Unicode scalar values.
- [BUG #884](https://togithub.com/rust-lang/regex/issues/884):
Replace `__Nonexhaustive` variants with `#[non_exhaustive]` attribute.
- [BUG #893](https://togithub.com/rust-lang/regex/pull/893):
Optimize case folding since it can get quite slow in some pathological cases.
- [BUG #895](https://togithub.com/rust-lang/regex/issues/895):
Reject `(?-u:\W)` in `regex::Regex` APIs.
- [BUG #942](https://togithub.com/rust-lang/regex/issues/942):
Add a missing `void` keyword to indicate "no parameters" in C API.
- [BUG #965](https://togithub.com/rust-lang/regex/issues/965):
Fix `\p{Lc}` so that it is equivalent to `\p{Cased_Letter}`.
- [BUG #975](https://togithub.com/rust-lang/regex/issues/975):
Clarify documentation for `\pX` syntax.
### [`v1.7.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#173-2023-03-24)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.7.2...1.7.3)
\==================
This is a small release that fixes a bug in `Regex::shortest_match_at` that
could cause it to panic, even when the offset given is valid.
Bug fixes:
- [BUG #969](https://togithub.com/rust-lang/regex/issues/969):
Fix a bug in how the reverse DFA was called for `Regex::shortest_match_at`.
### [`v1.7.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#172-2023-03-21)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.7.1...1.7.2)
\==================
This is a small release that fixes a failing test on FreeBSD.
Bug fixes:
- [BUG #967](https://togithub.com/rust-lang/regex/issues/967):
Fix "no stack overflow" test which can fail due to the small stack size.
### [`v1.7.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#171-2023-01-09)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.7.0...1.7.1)
\==================
This release was done principally to try and fix the doc.rs rendering for the
regex crate.
Performance improvements:
- [PERF #930](https://togithub.com/rust-lang/regex/pull/930):
Optimize `replacen`. This also applies to `replace`, but not `replace_all`.
Bug fixes:
- [BUG #945](https://togithub.com/rust-lang/regex/issues/945):
Maybe fix rustdoc rendering by just bumping a new release?
### [`v1.7.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#170-2022-11-05)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.6.0...1.7.0)
\==================
This release principally includes an upgrade to Unicode 15.
New features:
- [FEATURE #832](https://togithub.com/rust-lang/regex/issues/916):
Upgrade to Unicode 15.
### [`v1.6.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#160-2022-07-05)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.6...1.6.0)
\==================
This release principally includes an upgrade to Unicode 14.
New features:
- [FEATURE #832](https://togithub.com/rust-lang/regex/pull/832):
Clarify that `Captures::len` includes all groups, not just matching groups.
- [FEATURE #857](https://togithub.com/rust-lang/regex/pull/857):
Add an `ExactSizeIterator` impl for `SubCaptureMatches`.
- [FEATURE #861](https://togithub.com/rust-lang/regex/pull/861):
Improve `RegexSet` documentation examples.
- [FEATURE #877](https://togithub.com/rust-lang/regex/issues/877):
Upgrade to Unicode 14.
Bug fixes:
- [BUG #792](https://togithub.com/rust-lang/regex/issues/792):
Fix error message rendering bug.
### [`v1.5.6`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#156-2022-05-20)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.5...1.5.6)
\==================
This release includes a few bug fixes, including a bug that produced incorrect
matches when a non-greedy `?` operator was used.
- [BUG #680](https://togithub.com/rust-lang/regex/issues/680):
Fixes a bug where `[[:alnum:][:^ascii:]]` dropped `[:alnum:]` from the class.
- [BUG #859](https://togithub.com/rust-lang/regex/issues/859):
Fixes a bug where `Hir::is_match_empty` returned `false` for `\b`.
- [BUG #862](https://togithub.com/rust-lang/regex/issues/862):
Fixes a bug where 'ab??' matches 'ab' instead of 'a' in 'ab'.
### [`v1.5.5`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#155-2022-03-08)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.4...1.5.5)
\==================
This releases fixes a security bug in the regex compiler. This bug permits a
vector for a denial-of-service attack in cases where the regex being compiled
is untrusted. There are no known problems where the regex is itself trusted,
including in cases of untrusted haystacks.
- [SECURITY #GHSA-m5pq-gvj9-9vr8](https://togithub.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8):
Fixes a bug in the regex compiler where empty sub-expressions subverted the
existing mitigations in place to enforce a size limit on compiled regexes.
The Rust Security Response WG published an advisory about this:
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
### [`v1.5.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#154-2021-05-06)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.3...1.5.4)
\==================
This release fixes another compilation failure when building regex. This time,
the fix is for when the `pattern` feature is enabled, which only works on
nightly Rust. CI has been updated to test this case.
- [BUG #772](https://togithub.com/rust-lang/regex/pull/772):
Fix build when `pattern` feature is enabled.
### [`v1.5.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#153-2021-05-01)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.2...1.5.3)
\==================
This releases fixes a bug when building regex with only the `unicode-perl`
feature. It turns out that while CI was building this configuration, it wasn't
actually failing the overall build on a failed compilation.
- [BUG #769](https://togithub.com/rust-lang/regex/issues/769):
Fix build in `regex-syntax` when only the `unicode-perl` feature is enabled.
### [`v1.5.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#152-2021-05-01)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.1...1.5.2)
\==================
This release fixes a performance bug when Unicode word boundaries are used.
Namely, for certain regexes on certain inputs, it's possible for the lazy DFA
to stop searching (causing a fallback to a slower engine) when it doesn't
actually need to.
[PR #768](https://togithub.com/rust-lang/regex/pull/768) fixes the bug, which was
originally reported in
[ripgrep#1860](https://togithub.com/BurntSushi/ripgrep/issues/1860).
### [`v1.5.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#151-2021-04-30)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.5.0...1.5.1)
\==================
This is a patch release that fixes a compilation error when the `perf-literal`
feature is not enabled.
### [`v1.5.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#150-2021-04-30)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.6...1.5.0)
\==================
This release primarily updates to Rust 2018 (finally) and bumps the MSRV to
Rust 1.41 (from Rust 1.28). Rust 1.41 was chosen because it's still reasonably
old, and is what's in Debian stable at the time of writing.
This release also drops this crate's own bespoke substring search algorithms
in favor of a new
[`memmem` implementation provided by the `memchr` crate](https://docs.rs/memchr/2.4.0/memchr/memmem/index.html).
This will change the performance profile of some regexes, sometimes getting a
little worse, and hopefully more frequently, getting a lot better. Please
report any serious performance regressions if you find them.
### [`v1.4.6`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#146-2021-04-22)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.5...1.4.6)
\==================
This is a small patch release that fixes the compiler's size check on how much
heap memory a regex uses. Previously, the compiler did not account for the
heap usage of Unicode character classes. Now it does. It's possible that this
may make some regexes fail to compile that previously did compile. If that
happens, please file an issue.
- [BUG OSS-fuzz#33579](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33579):
Some regexes can use more heap memory than one would expect.
### [`v1.4.5`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#145-2021-03-14)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.4...1.4.5)
\==================
This is a small patch release that fixes a regression in the size of a `Regex`
in the 1.4.4 release. Prior to 1.4.4, a `Regex` was 552 bytes. In the 1.4.4
release, it was 856 bytes due to internal changes. In this release, a `Regex`
is now 16 bytes. In general, the size of a `Regex` was never something that was
on my radar, but this increased size in the 1.4.4 release seems to have crossed
a threshold and resulted in stack overflows in some programs.
- [BUG #750](https://togithub.com/rust-lang/regex/pull/750):
Fixes stack overflows seemingly caused by a large `Regex` size by decreasing
its size.
### [`v1.4.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#144-2021-03-11)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.3...1.4.4)
\==================
This is a small patch release that contains some bug fixes. Notably, it also
drops the `thread_local` (and `lazy_static`, via transitivity) dependencies.
Bug fixes:
- [BUG #362](https://togithub.com/rust-lang/regex/pull/362):
Memory leaks caused by an internal caching strategy should now be fixed.
- [BUG #576](https://togithub.com/rust-lang/regex/pull/576):
All regex types now implement `UnwindSafe` and `RefUnwindSafe`.
- [BUG #728](https://togithub.com/rust-lang/regex/pull/749):
Add missing `Replacer` impls for `Vec`, `String`, `Cow`, etc.
### [`v1.4.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#143-2021-01-08)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.2...1.4.3)
\==================
This is a small patch release that adds some missing standard trait
implementations for some types in the public API.
Bug fixes:
- [BUG #734](https://togithub.com/rust-lang/regex/pull/734):
Add `FusedIterator` and `ExactSizeIterator` impls to iterator types.
- [BUG #735](https://togithub.com/rust-lang/regex/pull/735):
Add missing `Debug` impls to public API types.
### [`v1.4.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#142-2020-11-01)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.1...1.4.2)
\==================
This is a small bug fix release that bans `\P{any}`. We previously banned empty
classes like `[^\w\W]`, but missed the `\P{any}` case. In the future, we hope
to permit empty classes.
- [BUG #722](https://togithub.com/rust-lang/regex/issues/722):
Ban `\P{any}` to avoid a panic in the regex compiler. Found by OSS-Fuzz.
### [`v1.4.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#141-2020-10-13)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.4.0...1.4.1)
\==================
This is a small bug fix release that makes `\p{cf}` work. Previously, it would
report "property not found" even though `cf` is a valid abbreviation for the
`Format` general category.
- [BUG #719](https://togithub.com/rust-lang/regex/issues/719):
Fixes bug that prevented `\p{cf}` from working.
### [`v1.4.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#140-2020-10-11)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.9...1.4.0)
\==================
This releases has a few minor documentation fixes as well as some very minor
API additions. The MSRV remains at Rust 1.28 for now, but this is intended to
increase to at least Rust 1.41.1 soon.
This release also adds support for OSS-Fuzz. Kudos to
[@DavidKorczynski](https://togithub.com/DavidKorczynski)
for doing the heavy lifting for that!
New features:
- [FEATURE #649](https://togithub.com/rust-lang/regex/issues/649):
Support `[`, `]` and `.` in capture group names.
- [FEATURE #687](https://togithub.com/rust-lang/regex/issues/687):
Add `is_empty` predicate to `RegexSet`.
- [FEATURE #689](https://togithub.com/rust-lang/regex/issues/689):
Implement `Clone` for `SubCaptureMatches`.
- [FEATURE #715](https://togithub.com/rust-lang/regex/issues/715):
Add `empty` constructor to `RegexSet` for convenience.
Bug fixes:
- [BUG #694](https://togithub.com/rust-lang/regex/issues/694):
Fix doc example for `Replacer::replace_append`.
- [BUG #698](https://togithub.com/rust-lang/regex/issues/698):
Clarify docs for `s` flag when using a `bytes::Regex`.
- [BUG #711](https://togithub.com/rust-lang/regex/issues/711):
Clarify `is_match` docs to indicate that it can match anywhere in string.
### [`v1.3.9`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#139-2020-05-28)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.8...1.3.9)
\==================
This release fixes a MSRV (Minimum Support Rust Version) regression in the
1.3.8 release. Namely, while 1.3.8 compiles on Rust 1.28, it actually does not
compile on other Rust versions, such as Rust 1.39.
Bug fixes:
- [BUG #685](https://togithub.com/rust-lang/regex/issues/685):
Remove use of `doc_comment` crate, which cannot be used before Rust 1.43.
### [`v1.3.8`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#138-2020-05-28)
[Compare Source](https://togithub.com/rust-lang/regex/compare/regex-1.3.7...1.3.8)
\==================
This release contains a couple of important bug fixes driven
by better support for empty-subexpressions in regexes. For
example, regexes like `b|` are now allowed. Major thanks to
[@sliquister](https://togithub.com/sliquister) for implementing support for this
in [#677](https://togithub.com/rust-lang/regex/pull/677).
Bug fixes:
- [BUG #523](https://togithub.com/rust-lang/regex/pull/523):
Add note to documentation that spaces can be escaped in `x` mode.
- [BUG #524](https://togithub.com/rust-lang/regex/issues/524):
Add support for empty sub-expressions, including empty alternations.
- [BUG #659](https://togithub.com/rust-lang/regex/issues/659):
Fix match bug caused by an empty sub-expression miscompilation.
### [`v1.3.7`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#137-2020-04-17)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.6...regex-1.3.7)
\==================
This release contains a small bug fix that fixes how `regex` forwards crate
features to `regex-syntax`. In particular, this will reduce recompilations in
some cases.
Bug fixes:
- [BUG #665](https://togithub.com/rust-lang/regex/pull/665):
Fix feature forwarding to `regex-syntax`.
### [`v1.3.6`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#136-2020-03-24)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.5...1.3.6)
\==================
This release contains a sizable (~30%) performance improvement when compiling
some kinds of large regular expressions.
Performance improvements:
- [PERF #657](https://togithub.com/rust-lang/regex/pull/657):
Improvement performance of compiling large regular expressions.
### [`v1.3.5`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#135-2020-03-12)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.4...1.3.5)
\==================
This release updates this crate to Unicode 13.
New features:
- [FEATURE #653](https://togithub.com/rust-lang/regex/pull/653):
Update `regex-syntax` to Unicode 13.
### [`v1.3.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#134-2020-01-30)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.3...1.3.4)
\==================
This is a small bug fix release that fixes a bug related to the scoping of
flags in a regex. Namely, before this fix, a regex like `((?i)a)b)` would
match `aB` despite the fact that `b` should not be matched case insensitively.
Bug fixes:
- [BUG #640](https://togithub.com/rust-lang/regex/issues/640):
Fix bug related to the scoping of flags in a regex.
### [`v1.3.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#133-2020-01-09)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.2...1.3.3)
\==================
This is a small maintenance release that upgrades the dependency on
`thread_local` from `0.3` to `1.0`. The minimum supported Rust version remains
at Rust 1.28.
### [`v1.3.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#132-2020-01-09)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.1...1.3.2)
\==================
This is a small maintenance release with some house cleaning and bug fixes.
New features:
- [FEATURE #631](https://togithub.com/rust-lang/regex/issues/631):
Add a `Match::range` method an a `From for Range` impl.
Bug fixes:
- [BUG #521](https://togithub.com/rust-lang/regex/issues/521):
Corrects `/-/.splitn("a", 2)` to return `["a"]` instead of `["a", ""]`.
- [BUG #594](https://togithub.com/rust-lang/regex/pull/594):
Improve error reporting when writing `\p\`.
- [BUG #627](https://togithub.com/rust-lang/regex/issues/627):
Corrects `/-/.split("a-")` to return `["a", ""]` instead of `["a"]`.
- [BUG #633](https://togithub.com/rust-lang/regex/pull/633):
Squash deprecation warnings for the `std::error::Error::description` method.
### [`v1.3.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#131-2019-09-04)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.3.0...1.3.1)
\==================
This is a maintenance release with no changes in order to try to work-around
a [docs.rs/Cargo issue](https://togithub.com/rust-lang/docs.rs/issues/400).
### [`v1.3.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#130-2019-09-03)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.2.1...1.3.0)
\==================
This release adds a plethora of new crate features that permit users of regex
to shrink its size considerably, in exchange for giving up either functionality
(such as Unicode support) or runtime performance. When all such features are
disabled, the dependency tree for `regex` shrinks to exactly 1 crate
(`regex-syntax`). More information about the new crate features can be
[found in the docs](https://docs.rs/regex/\*/#crate-features).
Note that while this is a new minor version release, the minimum supported
Rust version for this crate remains at `1.28.0`.
New features:
- [FEATURE #474](https://togithub.com/rust-lang/regex/issues/474):
The `use_std` feature has been deprecated in favor of the `std` feature.
The `use_std` feature will be removed in regex 2. Until then, `use_std` will
remain as an alias for the `std` feature.
- [FEATURE #583](https://togithub.com/rust-lang/regex/issues/583):
Add a substantial number of crate features shrinking `regex`.
### [`v1.2.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#121-2019-08-03)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.2.0...1.2.1)
\==================
This release does a bit of house cleaning. Namely:
- This repository is now using rustfmt.
- License headers have been removed from all files, in following suit with the
Rust project.
- Teddy has been removed from the `regex` crate, and is now part of the
`aho-corasick` crate.
[See `aho-corasick`'s new `packed` sub-module for details](https://docs.rs/aho-corasick/0.7.6/aho_corasick/packed/index.html).
- The `utf8-ranges` crate has been deprecated, with its functionality moving
into the
[`utf8` sub-module of `regex-syntax`](https://docs.rs/regex-syntax/0.6.11/regex_syntax/utf8/index.html).
- The `ucd-util` dependency has been dropped, in favor of implementing what
little we need inside of `regex-syntax` itself.
In general, this is part of an ongoing (long term) effort to make optimizations
in the regex engine easier to reason about. The current code is too convoluted
and thus it is very easy to introduce new bugs. This simplification effort is
the primary motivation behind re-working the `aho-corasick` crate to not only
bundle algorithms like Teddy, but to also provide regex-like match semantics
automatically.
Moving forward, the plan is to join up with the `bstr` and `regex-automata`
crates, with the former providing more sophisticated substring search
algorithms (thereby deleting existing code in `regex`) and the latter providing
ahead-of-time compiled DFAs for cases where they are inexpensive to compute.
### [`v1.2.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#120-2019-07-20)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.1.9...1.2.0)
\==================
This release updates regex's minimum supported Rust version to 1.28, which was
release almost 1 year ago. This release also updates regex's Unicode data
tables to 12.1.0.
### [`v1.1.9`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#119-2019-07-06)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.1.8...1.1.9)
\==================
This release contains a bug fix that caused regex's tests to fail, due to a
dependency on an unreleased behavior in regex-syntax.
- [BUG #593](https://togithub.com/rust-lang/regex/issues/593):
Move an integration-style test on error messages into regex-syntax.
### [`v1.1.8`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#118-2019-07-04)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.1.7...1.1.8)
\==================
This release contains a few small internal refactorings. One of which fixes
an instance of undefined behavior in a part of the SIMD code.
Bug fixes:
- [BUG #545](https://togithub.com/rust-lang/regex/issues/545):
Improves error messages when a repetition operator is used without a number.
- [BUG #588](https://togithub.com/rust-lang/regex/issues/588):
Removes use of a repr(Rust) union used for type punning in the Teddy matcher.
- [BUG #591](https://togithub.com/rust-lang/regex/issues/591):
Update docs for running benchmarks and improve failure modes.
### [`v1.1.7`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#117-2019-06-09)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.1.6...1.1.7)
\==================
This release fixes up a few warnings as a result of recent deprecations.
### [`v1.1.6`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#116-2019-04-16)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.1.5...1.1.6)
\==================
This release fixes a regression introduced by a bug fix (for
[BUG #557](https://togithub.com/rust-lang/regex/issues/557)) which could cause
the regex engine to enter an infinite loop. This bug was originally
[reported against ripgrep](https://togithub.com/BurntSushi/ripgrep/issues/1247).
### [`v1.1.5`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#115-2019-04-01)
[Compare Source](https://togithub.com/rust-lang/regex/compare/1.1.4...1.1.5)
\==================
This release fixes a bug in regex's dependency specification where it requires
a newer version of regex-syntax, but this wasn't communicated correctly in the
Cargo.toml. This would have been caught by a minimal version check, but this
check was disabled because the `rand` crate itself advertises incorrect
dependency specifications.
Bug fixes:
- [BUG #570](https://togithub.com/rust-lang/regex/pull/570):
Fix regex-syntax minimal ve
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "after 8pm,before 6am" in timezone America/Denver.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1
->1.10.4
1
->1.10.4
Regexes with large repetitions on empty sub-expressions take a very long time to parse
CVE-2022-24713 / GHSA-m5pq-gvj9-9vr8 / RUSTSEC-2022-0013
More information
#### Details The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes. This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability. ##### Overview The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. ##### Affected versions All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5. ##### Mitigations We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes. ##### Acknowledgements We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy][1], and for helping review the fix. We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory. [1]: https://www.rust-lang.org/policies/security #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://crates.io/crates/regex](https://crates.io/crates/regex) - [https://rustsec.org/advisories/RUSTSEC-2022-0013.html](https://rustsec.org/advisories/RUSTSEC-2022-0013.html) - [https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw](https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2022-0013) and the [Rust Advisory Database](https://togithub.com/RustSec/advisory-db) ([CC0 1.0](https://togithub.com/rustsec/advisory-db/blob/main/LICENSE.txt)).Rust's regex crate vulnerable to regular expression denial of service
CVE-2022-24713 / GHSA-m5pq-gvj9-9vr8 / RUSTSEC-2022-0013
More information
#### Details > This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well. [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes. This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability. ##### Overview The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. ##### Affected versions All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5. ##### Mitigations We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes. ##### Acknowledgements We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix. We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8](https://togithub.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8) - [https://nvd.nist.gov/vuln/detail/CVE-2022-24713](https://nvd.nist.gov/vuln/detail/CVE-2022-24713) - [https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e](https://togithub.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e) - [https://github.com/rust-lang/regex](https://togithub.com/rust-lang/regex) - [https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw](https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw) - [https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html](https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html) - [https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html](https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ) - [https://rustsec.org/advisories/RUSTSEC-2022-0013.html](https://rustsec.org/advisories/RUSTSEC-2022-0013.html) - [https://security.gentoo.org/glsa/202208-08](https://security.gentoo.org/glsa/202208-08) - [https://security.gentoo.org/glsa/202208-14](https://security.gentoo.org/glsa/202208-14) - [https://www.debian.org/security/2022/dsa-5113](https://www.debian.org/security/2022/dsa-5113) - [https://www.debian.org/security/2022/dsa-5118](https://www.debian.org/security/2022/dsa-5118) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
rust-lang/regex (regex)
### [`v1.10.4`](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4) ### [`v1.10.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1103-2024-01-21) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.2...1.10.3) \=================== This is a new patch release that fixes the feature configuration of optional dependencies, and fixes an unsound use of bounds check elision. Bug fixes: - [BUG #1147](https://togithub.com/rust-lang/regex/issues/1147): Set `default-features=false` for the `memchr` and `aho-corasick` dependencies. - [BUG #1154](https://togithub.com/rust-lang/regex/pull/1154): Fix unsound bounds check elision. ### [`v1.10.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1102-2023-10-16) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.1...1.10.2) \=================== This is a new patch release that fixes a search regression where incorrect matches could be reported. Bug fixes: - [BUG #1110](https://togithub.com/rust-lang/regex/issues/1110): Revert broadening of reverse suffix literal optimization introduced in 1.10.1. ### [`v1.10.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1101-2023-10-14) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.0...1.10.1) \=================== This is a new patch release with a minor increase in the number of valid patterns and a broadening of some literal optimizations. New features: - [FEATURE 04f5d7be](https://togithub.com/rust-lang/regex/commit/04f5d7be4efc542864cc400f5d43fbea4eb9bab6): Loosen ASCII-compatible rules such that regexes like `(?-u:☃)` are now allowed. Performance improvements: - [PERF 8a8d599f](https://togithub.com/rust-lang/regex/commit/8a8d599f9d2f2d78e9ad84e4084788c2d563afa5): Broader the reverse suffix optimization to apply in more cases. ### [`v1.10.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#1100-2023-10-09) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.6...1.10.0) \=================== This is a new minor release of `regex` that adds support for start and end word boundary assertions. That is, `\<` and `\>`. The minimum supported Rust version has also been raised to 1.65, which was released about one year ago. The new word boundary assertions are: - `\<` or `\b{start}`: a Unicode start-of-word boundary (`\W|\A` on the left, `\w` on the right). - `\>` or `\b{end}`: a Unicode end-of-word boundary (`\w` on the left, `\W|\z` on the right)). - `\b{start-half}`: half of a Unicode start-of-word boundary (`\W|\A` on the left). - `\b{end-half}`: half of a Unicode end-of-word boundary (`\W|\z` on the right). The `\<` and `\>` are GNU extensions to POSIX regexes. They have been added to the `regex` crate because they enjoy somewhat broad support in other regex engines as well (for example, vim). The `\b{start}` and `\b{end}` assertions are aliases for `\<` and `\>`, respectively. The `\b{start-half}` and `\b{end-half}` assertions are not found in any other regex engine (although regex engines with general look-around support can certainly express them). They were added principally to support the implementation of word matching in grep programs, where one generally wants to be a bit more flexible in what is considered a word boundary. New features: - [FEATURE #469](https://togithub.com/rust-lang/regex/issues/469): Add support for `\<` and `\>` word boundary assertions. - [FEATURE(regex-automata) #1031](https://togithub.com/rust-lang/regex/pull/1031): DFAs now have a `start_state` method that doesn't use an `Input`. Performance improvements: - [PERF #1051](https://togithub.com/rust-lang/regex/pull/1051): Unicode character class operations have been optimized in `regex-syntax`. - [PERF #1090](https://togithub.com/rust-lang/regex/issues/1090): Make patterns containing lots of literal characters use less memory. Bug fixes: - [BUG #1046](https://togithub.com/rust-lang/regex/issues/1046): Fix a bug that could result in incorrect match spans when using a Unicode word boundary and searching non-ASCII strings. - [BUG(regex-syntax) #1047](https://togithub.com/rust-lang/regex/issues/1047): Fix panics that can occur in `Ast->Hir` translation (not reachable from `regex` crate). - [BUG(regex-syntax) #1088](https://togithub.com/rust-lang/regex/issues/1088): Remove guarantees in the API that connect the `u` flag with a specific HIR representation. `regex-automata` breaking change release: This release includes a `regex-automata 0.4.0` breaking change release, which was necessary in order to support the new word boundary assertions. For example, the `Look` enum has new variants and the `LookSet` type now uses `u32` instead of `u16` to represent a bitset of look-around assertions. These are overall very minor changes, and most users of `regex-automata` should be able to move to `0.4` from `0.3` without any changes at all. `regex-syntax` breaking change release: This release also includes a `regex-syntax 0.8.0` breaking change release, which, like `regex-automata`, was necessary in order to support the new word boundary assertions. This release also includes some changes to the `Ast` type to reduce heap usage in some cases. If you are using the `Ast` type directly, your code may require some minor modifications. Otherwise, users of `regex-syntax 0.7` should be able to migrate to `0.8` without any code changes. `regex-lite` release: The `regex-lite 0.1.1` release contains support for the new word boundary assertions. There are no breaking changes. ### [`v1.9.6`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#196-2023-09-30) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.5...1.9.6) \================== This is a patch release that fixes a panic that can occur when the default regex size limit is increased to a large number. - [BUG aa4e4c71](https://togithub.com/rust-lang/regex/commit/aa4e4c7120b0090ce0624e3c42a2ed06dd8b918a): Fix a bug where computing the maximum haystack length for the bounded backtracker could result underflow and thus provoke a panic later in a search due to a broken invariant. ### [`v1.9.5`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#195-2023-09-02) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.4...1.9.5) \================== This is a patch release that hopefully mostly fixes a performance bug that occurs when sharing a regex across multiple threads. Issue [#934](https://togithub.com/rust-lang/regex/issues/934) explains this in more detail. It is [also noted in the crate documentation](https://docs.rs/regex/latest/regex/#sharing-a-regex-across-threads-can-result-in-contention). The bug can appear when sharing a regex across multiple threads simultaneously, as might be the case when using a regex from a `OnceLock`, `lazy_static` or similar primitive. Usually high contention only results when using many threads to execute searches on small haystacks. One can avoid the contention problem entirely through one of two methods. The first is to use lower level APIs from `regex-automata` that require passing state explicitly, such as [`meta::Regex::search_with`](https://docs.rs/regex-automata/latest/regex_automata/meta/struct.Regex.html#method.search_with). The second is to clone a regex and send it to other threads explicitly. This will not use any additional memory usage compared to sharing the regex. The only downside of this approach is that it may be less convenient, for example, it won't work with things like `OnceLock` or `lazy_static` or `once_cell`. With that said, as of this release, the contention performance problems have been greatly reduced. This was achieved by changing the free-list so that it was sharded across threads, and that ensuring each sharded mutex occupies a single cache line to mitigate false sharing. So while contention may still impact performance in some cases, it should be a lot better now. Because of the changes to how the free-list works, please report any issues you find with this release. That not only includes search time regressions but also significant regressions in memory usage. Reporting improvements is also welcome as well! If possible, provide a reproduction. Bug fixes: - [BUG #934](https://togithub.com/rust-lang/regex/issues/934): Fix a performance bug where high contention on a single regex led to massive slow downs. ### [`v1.9.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#194-2023-08-26) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.3...1.9.4) \================== This is a patch release that fixes a bug where `RegexSet::is_match(..)` could incorrectly return false (even when `RegexSet::matches(..).matched_any()` returns true). Bug fixes: - [BUG #1070](https://togithub.com/rust-lang/regex/issues/1070): Fix a bug where a prefilter was incorrectly configured for a `RegexSet`. ### [`v1.9.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#193-2023-08-05) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.2...1.9.3) \================== This is a patch release that fixes a bug where some searches could result in incorrect match offsets being reported. It is difficult to characterize the types of regexes susceptible to this bug. They generally involve patterns that contain no prefix or suffix literals, but have an inner literal along with a regex prefix that can conditionally match. Bug fixes: - [BUG #1060](https://togithub.com/rust-lang/regex/issues/1060): Fix a bug with the reverse inner literal optimization reporting incorrect match offsets. ### [`v1.9.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#192-2023-08-05) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.1...1.9.2) \================== This is a patch release that fixes another memory usage regression. This particular regression occurred only when using a `RegexSet`. In some cases, much more heap memory (by one or two orders of magnitude) was allocated than in versions prior to 1.9.0. Bug fixes: - [BUG #1059](https://togithub.com/rust-lang/regex/issues/1059): Fix a memory usage regression when using a `RegexSet`. ### [`v1.9.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#191-2023-07-07) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.9.0...1.9.1) \================== This is a patch release which fixes a memory usage regression. In the regex 1.9 release, one of the internal engines used a more aggressive allocation strategy than what was done previously. This patch release reverts to the prior on-demand strategy. Bug fixes: - [BUG #1027](https://togithub.com/rust-lang/regex/issues/1027): Change the allocation strategy for the backtracker to be less aggressive. ### [`v1.9.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#190-2023-07-05) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.4...1.9.0) \================== This release marks the end of a [years long rewrite of the regex crate internals](https://togithub.com/rust-lang/regex/issues/656). Since this is such a big release, please report any issues or regressions you find. We would also love to hear about improvements as well. In addition to many internal improvements that should hopefully result in "my regex searches are faster," there have also been a few API additions: - A new `Captures::extract` method for quickly accessing the substrings that match each capture group in a regex. - A new inline flag, `R`, which enables CRLF mode. This makes `.` match any Unicode scalar value except for `\r` and `\n`, and also makes `(?m:^)` and `(?m:$)` match after and before both `\r` and `\n`, respectively, but never between a `\r` and `\n`. - `RegexBuilder::line_terminator` was added to further customize the line terminator used by `(?m:^)` and `(?m:$)` to be any arbitrary byte. - The `std` Cargo feature is now actually optional. That is, the `regex` crate can be used without the standard library. - Because `regex 1.9` may make binary size and compile times even worse, a new experimental crate called `regex-lite` has been published. It prioritizes binary size and compile times over functionality (like Unicode) and performance. It shares no code with the `regex` crate. New features: - [FEATURE #244](https://togithub.com/rust-lang/regex/issues/244): One can opt into CRLF mode via the `R` flag. e.g., `(?mR:$)` matches just before `\r\n`. - [FEATURE #259](https://togithub.com/rust-lang/regex/issues/259): Multi-pattern searches with offsets can be done with `regex-automata 0.3`. - [FEATURE #476](https://togithub.com/rust-lang/regex/issues/476): `std` is now an optional feature. `regex` may be used with only `alloc`. - [FEATURE #644](https://togithub.com/rust-lang/regex/issues/644): `RegexBuilder::line_terminator` configures how `(?m:^)` and `(?m:$)` behave. - [FEATURE #675](https://togithub.com/rust-lang/regex/issues/675): Anchored search APIs are now available in `regex-automata 0.3`. - [FEATURE #824](https://togithub.com/rust-lang/regex/issues/824): Add new `Captures::extract` method for easier capture group access. - [FEATURE #961](https://togithub.com/rust-lang/regex/issues/961): Add `regex-lite` crate with smaller binary sizes and faster compile times. - [FEATURE #1022](https://togithub.com/rust-lang/regex/pull/1022): Add `TryFrom` implementations for the `Regex` type. Performance improvements: - [PERF #68](https://togithub.com/rust-lang/regex/issues/68): Added a one-pass DFA engine for faster capture group matching. - [PERF #510](https://togithub.com/rust-lang/regex/issues/510): Inner literals are now used to accelerate searches, e.g., `\w+@\w+` will scan for `@`. - [PERF #787](https://togithub.com/rust-lang/regex/issues/787), [PERF #891](https://togithub.com/rust-lang/regex/issues/891): Makes literal optimizations apply to regexes of the form `\b(foo|bar|quux)\b`. (There are many more performance improvements as well, but not all of them have specific issues devoted to them.) Bug fixes: - [BUG #429](https://togithub.com/rust-lang/regex/issues/429): Fix matching bugs related to `\B` and inconsistencies across internal engines. - [BUG #517](https://togithub.com/rust-lang/regex/issues/517): Fix matching bug with capture groups. - [BUG #579](https://togithub.com/rust-lang/regex/issues/579): Fix matching bug with word boundaries. - [BUG #779](https://togithub.com/rust-lang/regex/issues/779): Fix bug where some regexes like `(re)+` were not equivalent to `(re)(re)*`. - [BUG #850](https://togithub.com/rust-lang/regex/issues/850): Fix matching bug inconsistency between NFA and DFA engines. - [BUG #921](https://togithub.com/rust-lang/regex/issues/921): Fix matching bug where literal extraction got confused by `$`. - [BUG #976](https://togithub.com/rust-lang/regex/issues/976): Add documentation to replacement routines about dealing with fallibility. - [BUG #1002](https://togithub.com/rust-lang/regex/issues/1002): Use corpus rejection in fuzz testing. ### [`v1.8.4`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#184-2023-06-05) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.3...1.8.4) \================== This is a patch release that fixes a bug where `(?-u:\B)` was allowed in Unicode regexes, despite the fact that the current matching engines can report match offsets between the code units of a single UTF-8 encoded codepoint. That in turn means that match offsets that split a codepoint could be reported, which in turn results in panicking when one uses them to slice a `&str`. This bug occurred in the transition to `regex 1.8` because the underlying syntactical error that prevented this regex from compiling was intentionally removed. That's because `(?-u:\B)` will be permitted in Unicode regexes in `regex 1.9`, but the matching engines will guarantee to never report match offsets that split a codepoint. When the underlying syntactical error was removed, no code was added to ensure that `(?-u:\B)` didn't compile in the `regex 1.8` transition release. This release, `regex 1.8.4`, adds that code such that `Regex::new(r"(?-u:\B)")` returns to the `regex <1.8` behavior of not compiling. (A `bytes::Regex` can still of course compile it.) Bug fixes: - [BUG #1006](https://togithub.com/rust-lang/regex/issues/1006): Fix a bug where `(?-u:\B)` was allowed in Unicode regexes, and in turn could lead to match offsets that split a codepoint in `&str`. ### [`v1.8.3`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#183-2023-05-25) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.2...1.8.3) \================== This is a patch release that fixes a bug where the regex would report a match at every position even when it shouldn't. This could occur in a very small subset of regexes, usually an alternation of simple literals that have particular properties. (See the issue linked below for a more precise description.) Bug fixes: - [BUG #999](https://togithub.com/rust-lang/regex/issues/999): Fix a bug where a match at every position is erroneously reported. ### [`v1.8.2`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#182-2023-05-22) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.1...1.8.2) \================== This is a patch release that fixes a bug where regex compilation could panic in debug mode for regexes with large counted repetitions. For example, `a{2147483516}{2147483416}{5}` resulted in an integer overflow that wrapped in release mode but panicking in debug mode. Despite the unintended wrapping arithmetic in release mode, it didn't cause any other logical bugs since the errant code was for new analysis that wasn't used yet. Bug fixes: - [BUG #995](https://togithub.com/rust-lang/regex/issues/995): Fix a bug where regex compilation with large counted repetitions could panic. ### [`v1.8.1`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#181-2023-04-21) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.8.0...1.8.1) \================== This is a patch release that fixes a bug where a regex match could be reported where none was found. Specifically, the bug occurs when a pattern contains some literal prefixes that could be extracted *and* an optional word boundary in the prefix. Bug fixes: - [BUG #981](https://togithub.com/rust-lang/regex/issues/981): Fix a bug where a word boundary could interact with prefix literal optimizations and lead to a false positive match. ### [`v1.8.0`](https://togithub.com/rust-lang/regex/blob/HEAD/CHANGELOG.md#180-2023-04-20) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.7.3...1.8.0) \================== This is a sizeable release that will be soon followed by another sizeable release. Both of them will combined close over 40 existing issues and PRs. This first release, despite its size, essentially represents preparatory work for the second release, which will be even bigger. Namely, this release: - Increases the MSRV to Rust 1.60.0, which was released about 1 year ago. - Upgrades its dependency on `aho-corasick` to the recently released 1.0 version. - Upgrades its dependency on `regex-syntax` to the simultaneously released `0.7` version. The changes to `regex-syntax` principally revolve around a rewrite of its literal extraction code and a number of simplifications and optimizations to its high-level intermediate representation (HIR). The second release, which will follow ~shortly after the release above, will contain a soup-to-nuts rewrite of every regex engine. This will be done by bringing [`regex-automata`](https://togithub.com/BurntSushi/regex-automata) into this repository, and then changing the `regex` crate to be nothing but an API shim layer on top of `regex-automata`'s API. These tandem releases are the culmination of about 3 years of on-and-off work that [began in earnest in March 2020](https://togithub.com/rust-lang/regex/issues/656). Because of the scale of changes involved in these releases, I would love to hear about your experience. Especially if you notice undocumented changes in behavior or performance changes (positive *or* negative). Most changes in the first release are listed below. For more details, please see the commit log, which reflects a linear and decently documented history of all changes. New features: - [FEATURE #501](https://togithub.com/rust-lang/regex/issues/501): Permit many more characters to be escaped, even if they have no significance. More specifically, any ASCII character except for `[0-9A-Za-z<>]` can now be escaped. Also, a new routine, `is_escapeable_character`, has been added to `regex-syntax` to query whether a character is escapeable or not. - [FEATURE #547](https://togithub.com/rust-lang/regex/issues/547): Add `Regex::captures_at`. This fills a hole in the API, but doesn't otherwise introduce any new expressive power. - [FEATURE #595](https://togithub.com/rust-lang/regex/issues/595): Capture group names are now Unicode-aware. They can now begin with either a `_` or any "alphabetic" codepoint. After the first codepoint, subsequent codepoints can be any sequence of alpha-numeric codepoints, along with `_`, `.`, `[` and `]`. Note that replacement syntax has not changed. - [FEATURE #810](https://togithub.com/rust-lang/regex/issues/810): Add `Match::is_empty` and `Match::len` APIs. - [FEATURE #905](https://togithub.com/rust-lang/regex/issues/905): Add an `impl Default for RegexSet`, with the default being the empty set. - [FEATURE #908](https://togithub.com/rust-lang/regex/issues/908): A new method, `Regex::static_captures_len`, has been added which returns the number of capture groups in the pattern if and only if every possible match always contains the same number of matching groups. - [FEATURE #955](https://togithub.com/rust-lang/regex/issues/955): Named captures can now be written as `(?Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "after 8pm,before 6am" in timezone America/Denver.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.