I hate to bring this up, but it's not just a historical issue. The version of attoparsec used by the platform today forces an old version of aeson to be used (0.6.2.1). The combination of that aeson and attoparsec version is vulnerable to an incredibly severe DoS attack for specially crafted JSON strings (e.g., {"foo":1e100000000000000000000000}). In fact, just a few weeks ago I sent a private email to someone about a massive vulnerability in a service (obviously not going to point out which one).

Michael