docs/solutions/security-issues/2026-04-24-media-video-url-parser-redos.md
@platejs/media used js-video-url-parser for a small public helper surface. That package is flagged by CVE-2026-5986 for inefficient regex behavior in time parameter parsing.
[email protected].parseVideoUrl('https://www.youtube.com/watch?v=M7lc1UVf-VE&t=111...x') can spend hundreds of milliseconds before returning.packages/media/package.json and pnpm-lock.yaml.Remove the dependency and keep Plate's documented provider surface in local code:
const parsedUrl = new URL(url);
const id = parsers[provider](parsedUrl);
return {
id,
provider,
sourceKind: 'url',
sourceUrl: embedUrl === url ? undefined : url,
url: embedUrl,
};
Cover the replacement with provider variants from upstream tests and a timing regression:
const url = `https://www.youtube.com/watch?v=M7lc1UVf-VE&t=${'1'.repeat(25)}x`;
const start = performance.now();
expect(parseVideoUrl(url)?.id).toBe('M7lc1UVf-VE');
expect(performance.now() - start).toBeLessThan(100);
Then run pnpm install so pnpm-lock.yaml drops the vulnerable package.
The vulnerable code path lives in the third-party package's getTime regex parsing. Plate does not need generic provider metadata or time parsing; it only needs stable provider IDs and canonical embed URLs. The URL API plus small host/path parsers removes the risky regex engine path and keeps the package graph clean.