CVE-2022-25918

### Impact This impacts users that use shescape to escape arguments: - for the Unix shell Bash, or any not-officially-supported Unix shell; - using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example: ```javascript import * as shescape from "shescape"; /* 1. Prerequisites */ const options = { interpolation: true, // and shell: "/bin/bash", // or shell: "some-not-officially-supported-shell", // or shell: undefined, // Only if the system's default shell is bash or an unsupported shell. }; /* 2. Attack */ let userInput = '{,'.repeat(150_000); // polynomial backtracking /* 3. Usage */ shescape.escape(userInput, options); // or shescape.escapeAll([userInput], options); ``` ### Patches This bug has been patched in [v1.6.1](https://github.com/...