Bump re2 and relax version constraint

[mxxk]

Hi there, 👋 thank you again for maintaining email-forward-parser; it’s been a really helpful library for us. I wanted to bump the re2 version and revisit the topic of relaxing its version constraint.

We’ve run into repeated issues when upgrading Node.js because this package currently pins re2 to a specific version that often lacks prebuilt binaries for newer Node releases. For example:

• When moving from Node v20 → v22, email-forward-parser pinned re2@1.20.7, which didn’t have binaries for Node 22. That led to us opening Bump re2 to 1.21.4 #19.
• Now, upgrading from Node v22 → v24, we’re hitting the same issue: re2@1.21.4 doesn’t yet provide binaries for Node 24.

I completely understand the earlier point (#19 (comment)) about wanting to control dependency updates and ensure nothing breaks; that’s a very reasonable consideration. However, in this case, re2 follows semantic versioning closely and has a fairly stable API surface. Using a looser constraint (like ^1.22.1 or ~1.22.1) would still protect against breaking changes while avoiding compatibility blocks when Node releases new major versions.

This small change would make email-forward-parser much more future-friendly for downstream consumers without sacrificing your control over dependency safety.

Thanks again for your time and for maintaining this project!

[mxxk]

@valeriansaliou this needs your input 🙂

[eliottvincent]

Hey @mxxk !

Thanks for the PR and the detailed context. I understand the pain you’re describing around Node upgrades and native dependencies like re2.

That said, on our side we (Crisp) have a deliberate policy of always pinning third-party dependencies, even when they claim to follow semantic versioning. In practice, we want to avoid:

• breaking changes shipped in minor or patch releases (this has already happened to us, even on libraries following semantic versioning)
• more recently, supply-chain issues where packages are taken over and malicious or unsafe behavior is introduced via seemingly “safe” updates (number of such attacks will only increase in the near future)

By pinning dependencies, we make sure that:

• updates happen intentionally and not implicitly
• we can run our due-diligence and full test suite before upgrading

To move things forward, I’m happy to update re2 to the latest known good version, but I'll keep it pinned. You're also free to fork this repository and remove the pinned version of re2. And you can always PR a re2 upgrade here, we'll make sure to approve it in due time.

[eliottvincent]

I've just upgraded re2 to the latest version available (v1.22.3), you can now install email-forward-parser v1.7.2 :)