Previous work: {T318965}
Tracking bug for next security release, 1.35.10/1.38.6/1.39.3
Note: Added T326946: CVE-2020-36649: Bundled PapaParse copy in VisualEditor has known ReDos for a possible mention within the next release, even though it's already public and very wikimedia-specific.