Comment by jumploops

I dealt with this exact situation yesterday using o3.

For context, we use a PR bot that analyzes diffs for vulnerabilities.

I gave the PR bot's response to o3, and it gave a code patch and even suggested a comment for the "security reviewer":

> “The two regexes are linear-time, so they cannot exhibit catastrophic backtracking. We added hard length caps, compile-once regex literals, and sticky matching to eliminate any possibility of ReDoS or accidental O(n²) scans. No further action required.”

Of course the security review bot wasn't satisfied with the new diff, so I passed it's updated feedback to o3.

By the 4th round of corrections, I started to wonder if we'd ever see the end of the tunnel!