Hello Stephane,
Like you correctly assessed, currently it’s not possible to disable a rule from an inherited quality profile. This is an issue we are gonna look into to improve the situation, no ETA though.
Regarding your suggestion of analyzing different languages, it’s indeed not possible at the moment, but this is a suggestion worth having a look at. I escalated the topic to our PMs, but I can’t tell you yet if it’s something we will want to invest in or not.
Otherwise yesterday we deployed a new faster version of the JS/TS security analyzer. It contains the same new rules as the version that was making your project OOM and timeout, but way faster. Still we observed a small average duration increase compared to the previous version but it should not be an issue anymore. You can find more info about it in this thread.