fix(security): mitigate ReDoS in compile-dots.js by avoiding regex match on tainted code

[hdsenevi]

What issue does this pull request resolve?

• This PR fixes a Regular Expression Denial of Service (ReDoS) (CWE-400) reported by Snyk in scripts/compile-dots.js. The script compiles doT templates and its input (paths and template output) can be influenced by command-line arguments. That input was passed into code.match(regexp) and into a regex using a greedy [^;]+, which could lead to excessive backtracking on crafted or large input and cause the script to hang. The PR removes that vulnerable pattern and makes the remaining regex safe so the ReDoS finding is resolved.

What changes did you make?

• Replace regex-based counting with indexOf/split so tainted template output is never passed to .match(), addressing the ReDoS finding.
• Use lazy quantifier [^;]*? in the remove-unused-var regex to avoid catastrophic backtracking.
• Derive ERROR_KEYWORD_STR from ERROR_KEYWORD and use it in removeAlwaysFalsyInOr instead of the '$errorKeyword' literal.
• Remove the occurrences() helper; counting is now done inline without regex on user-influenced code.

Is there anything that requires more attention while reviewing?

• If the project runs Snyk (or similar) in CI, re-running the scan on this branch should show the ReDoS finding for scripts/compile-dots.js resolved.
• When paired with PR fix(security): backport CVE-2025-69873 - wrap $data pattern in try/catch #2588 this will resolve the ReDoS security vulnerability in v6

[paroczigergo]

We are really waiting for this to be released! Thank you @hdsenevi for the quick fix!

[hdsenevi]

Hi @epoberezkin, I see PR #2588 was closed in favor of #2590. The ReDoS issue still appears to be present in ajv@6.14.0.

This PR proposes a fix for that.

Verification

I verified the vulnerability and the fix locally with the Snyk CLI locally:

Before:
before-snyk-vuls-high.log

 ✗ [HIGH] Regular Expression Denial of Service (ReDoS)
   Path: scripts/compile-dots.js, line 71
   Info: Unsanitized user input from a command line argument flows into match, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

After:
after-snyk-vuls-high.log

Happy to adjust the approach or wording if you’d prefer a different direction for the v6 branch.