@Nux, just to say, there is ongoing work in T222807.

There is a new Permission Model model in modern NodeJS, by the way. Enabling it allows to control reading, writing (even on r/o environments processes can write to some obscure places like /dev/termination-log), spawning workers and subprocesses. This also blocks all attempts to launch shell / perl / another instance of nodejs / and so on.

Disabling extension is an adequate decision. Long time ago I reported about EasyTimeline, nobody disabled this extension, it took few weeks to fix, but again, it was long time ago. Today Wikipedia has have state-level attacks (guess the country), just in February almost every Russian MediaWiki website was attacked (proclaimed as "euro-woodpecker", using wormable payloads with a mix of pre-1.37 stored XSS vulnerabilities and mcrundo to bypass captcha), so nobody wants to know how much damage malicious actors can do in few minutes.

no place for subtitles

There is a long-running experiment in ruwiki about generating family name lists with Listeria with template substitution - https://ru.wikipedia.org/wiki/%D0%A4%D1%83%D0%BA%D0%B0%D0%B4%D0%B0.
Not exactly matches expectations about Lua, but solves use case №1.

Not a bug, I forgot to add bot=1 flag (even though I knew it 10 years ago). Forgot that flooder flag is opt-out and bot flag is opt-in.

According to https://web.archive.org/web/20190205051545/https://www.wikidata.org/wiki/Wikidata:SPARQL_query_service/queries/examples
previously, syntaxhighlight markup looked like:

<span class="lineno"> 1 </span><span class="c">#defaultView:BarChart</span>

Line numbers were not selectable.