Normalize manifest re dos

[mmmsssttt404]

Steps to reproduce
Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

yarn/src/util/normalize-manifest/util.js

Line 57 in 7cafa51

const email = person.match(/<([^>]+)>/);

yarn/src/util/normalize-manifest/util.js

Line 62 in 7cafa51

const url = person.match(/\(([^\)]+)\)/);

1.git clone https://github.com/mmmsssttt404/yarn.git
2.yarn install
3.yarn test __tests__/normalize-manifest.js

use time:

Proposed Solution:
Change the regular expression to
https://github.com/mmmsssttt404/yarn/blob/b0daafb372d6eaee89495c063f7f2631ded7dc62/src/util/normalize-manifest/util.js#L57-L65

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

[mmmsssttt404]

Benchmarks show clear quadratic growth with input size, not linear. Even at ~100k chars, runtime reaches several seconds. ReDoS does not require exponential blowup — Polynomial behavior is already recognized as exploitable