RE2JS quietly ports one of Google's most disciplined regex engines to JavaScript — and almost nobody noticed.
A Node.js app crashed in production last year because a single malformed input string fed into a regex took 47 seconds to return. The fix was two lines of code and a library change. Most teams never find that library.
Setting
Regular expressions are everywhere — search boxes, form validators, log parsers, route matchers. JavaScript's built-in regex engine (the one baked into every browser and Node.js runtime) is fast for normal inputs, but it has a known structural weakness: certain patterns, when given adversarial input, can cause catastrophic backtracking. The engine keeps retrying combinations exponentially, and the whole process grinds to a halt. This class of attack has a name — ReDoS (Regular Expression Denial of Service) — and it has taken down real production services.
Google built RE2 to solve this at the algorithm level. RE2 guarantees linear time matching: no matter how crafted or malicious the input, the match time scales with input length, not with the complexity of backtracking paths. The catch: RE2 is written in C++. Using it in JavaScript meant going through native bindings or WebAssembly wrappers, which adds friction, dependency weight, and platform headaches.
le0pard/re2js is a pure JavaScript port of RE2 — no native modules, no WASM, just JavaScript that runs in the browser and in Node.js equally. The project has a homepage with a live playground at re2js.leopard.in.ua. It has 188 stars. It deserves more attention than that number suggests.
The Story
Here is a concrete situation where this matters. Suppose you are building a SaaS app that lets users define their own search filters using regex patterns — think log analysis tools, content moderation pipelines, or data extraction dashboards. You cannot control what patterns users write. A user pastes in (a+)+ and runs it against a long string of a's. With the native JavaScript engine, that pattern on a 30-character input can run for seconds. On a server handling concurrent requests, one bad pattern becomes everyone's problem.
Swapping in RE2JS means the same pattern runs and returns in microseconds, regardless of input. The API is intentionally close to JavaScript's native RegExp, so the migration surface is small. You create a RE2 object instead of a RegExp object, call .match() or .test() the same way, and get back results in the same shape. For most use cases, the diff is nearly mechanical.
The library targets both browser and Node.js environments, which is a meaningful design decision. A lot of ReDoS protection tools are server-only. RE2JS means you can validate regex safety on the client too — useful if you are building tooling where users author patterns in a UI before those patterns ever reach your backend.
The commit history shows consistent maintenance. The last push was in May 2026. Issues are responded to. The codebase is not abandoned side-project energy — it reads like something the author actually depends on.
The Insight
188 stars for a project that solves a real, documented security class in pure JavaScript is a signal worth examining. The likely culprits: the name re2js is not immediately searchable for someone who does not already know what RE2 is; the problem it solves (ReDoS) is invisible until it bites you; and the project does not have the marketing apparatus of a funded open-source product.
This is the pattern with underrated repos. They do not fail on quality. They fail on discoverability. The code here is disciplined, the scope is narrow and well-defined, the API surface is intentional. None of that shows up in a star count.
If you work on any system where user-provided regex patterns are evaluated — and more systems do this than people realize — this library is the kind of quiet infrastructure that earns its place in a package.json and then disappears from your worry list entirely. That is what good tools do.
Calm, focused, ships on time. Worth a star.
Underrated tools like this one get a second look at teum.io/stories — where the metric is quality, not popularity.
한국어 요약
RE2JS는 구글의 RE2 정규식 엔진을 순수 JavaScript로 포팅한 라이브러리입니다. 사용자가 직접 정규식을 입력할 수 있는 서비스라면 ReDoS(정규식 서비스 거부 공격) 위험에 노출될 수 있는데, RE2JS는 이를 선형 시간 매칭으로 구조적으로 차단합니다. 브라우저와 Node.js 모두 지원하며, 기존 RegExp API와 거의 동일하게 사용할 수 있어 마이그레이션 부담이 적습니다. 별 188개짜리 레포지만, 실제 코드 품질과 유지보수 상태는 그 숫자와 전혀 다른 이야기를 합니다.
Calm, focused, ships on time. Worth a star.