From d2d4cb67d2ed4cf19e3313c224673e94d9299fd1 Mon Sep 17 00:00:00 2001
From: claude-code-best <claude-code-best@proton.me>
Date: Sun, 14 Jun 2026 17:57:52 +0800
Subject: [PATCH] fix: prevent ReDoS in extractMeta regex by anchoring to
 splice boundary

Co-Authored-By: deepseek-v4-pro <deepseek-ai@claude-code-best.win>
---
 packages/workflow-engine/src/engine/script.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/packages/workflow-engine/src/engine/script.ts b/packages/workflow-engine/src/engine/script.ts
index 6cf4cb85a..28a41a5fd 100644
--- a/packages/workflow-engine/src/engine/script.ts
+++ b/packages/workflow-engine/src/engine/script.ts
@@ -86,10 +86,9 @@ export function extractMeta(source: string): {
   const meta = validateMeta(metaObj)
 
   // Strip the meta statement (including trailing semicolon and extra blank lines)
-  const body = (source.slice(0, match.index) + source.slice(i)).replace(
-    /[ \t]*;[ \t]*\n/,
-    '\n',
-  )
+  const body =
+    source.slice(0, match.index) +
+    source.slice(i).replace(/^[ \t]*;[ \t]*\n/, '\n')
   return { meta, body }
 }