PCRE2 has API functions that allow users to change resource limits at runtime. It might be worthwhile to set these limits lower by default, and create server parameters to allow users to raise them. SECURITY-757 describes potential security risks with leaving these limits high on Atlas Free Tier or Serverless. We should determine default limits that will fill the needs of most users, while limiting the library's resource usage as much as possible.

The limits below, described here, can be set while configuring the library. They are also possible to change at runtime with these functions.
--with-match-limit
--with-heap-limit
--with-match-limit_depth

regex_limits.js tests many of these limits. This capture group limit test case is failing in PCRE2, because the memory usage differs slightly from PCRE. This is what led me to question whether the capture group limit should even be so high that it can hit the MongoDB internal memory limit (or stay just under the limit but run for a really long time and take up a lot of resources.)