fix(parse): remove ambiguous numeric regex to prevent ReDoS

[leno23]

Summary

• Replace the backtracking-prone \d*\.?\d+ numeric capture with (?:\d+\.?\d*|\.\d+)
• Complements the existing 100-character input guard with a safer regex shape
• Add regression test ensuring long invalid numeric strings parse quickly

Fixes #291

Test plan

• pnpm test

[rkristelijn]

Good catch on the ReDoS vector. The regex fix works, but a simpler and more robust defense is to cap input length before the regex runs. No legitimate time string exceeds ~20 characters, so:

export function parse(str: string): number {
  if (str.length > 100) {
    return NaN;
  }
  // ... existing regex
}

This has two advantages:

1. Defense in depth — protects against any future ReDoS in the regex, not just this specific pattern
2. Zero behavior change — no valid input is affected, and the regex stays untouched

The regex change from \d*\.?\d+ to (?:\d+\.?\d*|\.\d+) subtly changes what's accepted: 123. (trailing dot, no decimals) now matches where it didn't before. The length guard avoids this entirely.

If you do want to fix the regex itself, I'd suggest combining both: length cap + the regex fix as belt-and-suspenders.