As much as I hate to say it as I hate how these kinds of packages attach themselves to large projects to inflate download numbers for a resume I think most of us here would probably have created the same CVE doing it naively. It was a regex DoS due to exponential runtime not something obtuse like extra bloat being poorly made.