fix: resolve CodeQL security alerts (ReDoS, incomplete sanitization, bad code gen) (#87)

Refactor chained .replace() to single-pass tokenizers in pattern matching: - matchConfigPattern in config-matchers.ts and index.ts - escapeHeaderSource (new) replaces inline chained escaping in matchHeaders/applyHeaders - matchMiddlewarePattern in prod server entry template - matchPattern in middleware.ts Also: - escapeHeaderSource correctly handles :param(constraint) patterns - Fix decodeURIComponent parity gap in index.ts matchConfigPattern - Fix redundant dot in middleware.ts tokenizer char class - Add lgtm suppression comments for false positives in test files - Add unit tests for escapeHeaderSource

Dane committed on Feb 26, 2026, 06:18 AM

Showing 9 changed files +295 additions -98 deletions

M packages/vinext/src/config/config-matchers.ts +117 -35

M packages/vinext/src/index.ts +62 -42

M packages/vinext/src/server/middleware-codegen.ts +13 -7

M packages/vinext/src/server/middleware.ts +21 -12

M tests/e2e/app-router/isr.spec.ts +7 -1

M tests/font-google.test.ts +1

M tests/rsc-streaming.test.ts +1

M tests/safe-json.test.ts +4 -1

M tests/shims.test.ts +69