ansi-regex known bugs

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes. **Proof of Concept** ```js import ansiRegex from 'ansi-regex'; for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = "\u001B["+";".repeat(i*10000); ansiRegex().test(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } ``` The ReDOS is mainly due to the sub-patterns `[[\\]()#;?]*` and `(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*`

"man" command in Linux will produce many escape codes. All of escape codes but this first string "\u001b[?1049h\u001b[?1h\u001b=" can be matched by ansi-regex. I use strip-ansi to trim "\u001b[?1049h\u001b[?1h\u001b=" ,and get this result "[?1049h[?1h=", not "".

Hey, thanks for this useful tool! If I understand correctly, the following escape codes should be stripped by `strip-ansi`, right? ```js const esc = require('ansi-escapes') const stripAnsi = require('strip-ansi') esc.scrollDown // '\u001b[T' stripAnsi(esc.scrollDown) // '\u001b[T' esc.beep // '\u0007' stripAnsi(esc.beep) // '\u0007' ``` `clearScreen` gets stripped though: ```js esc.clearScreen // '\u001bc' stripAnsi(esc.clearScreen) // '' ```

Hello, according to links below, the following sequence instruct the terminal to set window title and icon: ``` \u001b]0;sg@tota:~/git/\u0007 ``` and strip-ansi is not removing it In other words I expect ``` stripAnsi('\u001b]0;sg@tota:~/git/\u0007\u001b[01;32m[sg@tota\u001b[01;37m misc-tests\u001b[01;32m]$') ``` to return the string: ``` [sg@tota misc-tests]$ ``` This is very common in xterm based linux stdout to print the prompt. Thanks BTW this is great project! keep it up! References: http://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h2-Title-Modes https://unix.stackexchange.com/questions/288996/what-u001b0kubajcubic-u0007-escape-code-do failing test PR https://github.com/chalk/ansi-regex/pull/22/files

This bug only appears on `iTerm 2`. ### How to reproduce ```javascript const terminalLink = require('terminal-link'); const stripAnsi = require('strip-ansi'); const link = terminalLink('click', 'https://github.com', {fallback: text => text}); console.log(stripAnsi(link)); ``` ### Expected ouput ``` click ``` ### Actual output ``` ttps://github.com/sindresorhusclick ```

Today I was working with the regex and noticed that [`cursorSave`](https://github.com/sindresorhus/ansi-escapes/blob/main/index.js#L49) and [`cursorRestore` ](https://github.com/sindresorhus/ansi-escapes/blob/main/index.js#L50) don't get stripped with `strip-ansi`. I didn't check the other use cases yet, but wanted to make sure first that it is correct what I assume here. It is the case, happy to send a PR.

The library breaks for ANSI links that include + characters: No + characters: ```js // you can generate this string via ansiEscapes.link(text, url) from the ansi-escapes npm lib let str = "\u001b]8;;https://www.example.com/?q=hello\u0007hello\u001b]8;;\u0007"; console.log(str.replace(ansiRegex(), '')); // expected: hello // observed: hello ``` With + characters: ```js // you can generate this string via ansiEscapes.link(text, url) from the ansi-escapes npm lib let str = "\u001b]8;;https://www.example.com/?q=hello+world\u0007hello\u001b]8;;\u0007"; console.log(str.replace(ansiRegex(), '')); // expected: hello // observed: ttps://www.example.com/?q=hello+worldhello ```

The package was compromised and malicious code added. --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (2777701ac1bf8726f2ea353b404c7d765ea3eb7bf0506207db828590ade1bf6e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.