Description
Description of the issue
The GitHub hosted runners switched from 2.20.1 to 2.20.2, and now the RegExpInjection rule takes 6ish hours on the TypeScript repo.
Before: https://github.com/microsoft/TypeScript/actions/runs/12920012966/job/36031579264
[80/90] Loaded /opt/hostedtoolcache/CodeQL/2.20.1/x64/codeql/qlpacks/codeql/javascript-queries/1.2.6/Security/CWE-730/RegExpInjection.qlx.
[89/90 eval 2m9s] Evaluation done; writing results to codeql/javascript-queries/Security/CWE-730/RegExpInjection.bqrs.
After: https://github.com/microsoft/TypeScript/actions/runs/12937825177/job/36086609739?pr=61034
[62/90] Loaded /opt/hostedtoolcache/CodeQL/2.20.2/x64/codeql/qlpacks/codeql/javascript-queries/1.3.0/Security/CWE-730/RegExpInjection.qlx.
[90/90 eval 317m7s] Evaluation done; writing results to codeql/javascript-queries/Security/CWE-730/RegExpInjection.bqrs.
I suspect this is due to the TypeScript compiler generating RegExp instances at runtime in order to implement file globbing; their inputs are technically from user input, but it's parsed out and constructed from known syntax with limitations. Even if these were poorly constructed, this is not a security problem; it just make's a user's own compilation slow.
The changelog for 2.20.2 mentions this, so it's possible the analysis is running away.