Regular Expression Denial of Serviceunderscore.string
underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Upgrade to version 3.3.5 or higher.