0.10.3 on NPM has a security vulnerability string@3.3.0

[stdarg]

I notice that the master branch no longer uses string@3.3.0 which has a regex DDoS vulnerability. Can we have a 0.10.4 without string@3.3.0? If there are blockers, what are they?