fix: potential quadratic runtime in regular expression (#240)

Author: ericcornelissen

packages/plugin-kit/src/config-comment-parser.js

@@ -155,7 +155,7 @@ export class ConfigCommentParser {
 		 * But we are supporting that. So this is a fallback for that.
 		 */
 		const normalizedString = string
-			.replace(/([-a-zA-Z0-9/]+):/gu, '"$1":')
+			.replace(/(?<![-a-zA-Z0-9/])([-a-zA-Z0-9/]+):/gu, '"$1":')
 			.replace(/(\]|[0-9])\s+(?=")/u, "$1,");
 
 		try {

packages/plugin-kit/tests/config-comment-parser.test.js

@@ -254,6 +254,11 @@ describe("ConfigCommentParser", () => {
 				},
 			});
 		});
+
+		it("should not timeout for large inputs", () => {
+			const code = `${"A".repeat(100_000)}?: 1 B: 2`;
+			commentParser.parseJSONLikeConfig(code);
+		});
 	});
 
 	describe("parseDirective", () => {