This is being released as a patch instead of a minor since
1) the existing API is not changing
2) the feature is opt-in and is only enabled when explicitly defined by the user
3) to ensure that all downstream implementors have the ability to prevent unsafe regular expressions from being passed by end-users (considering that we're still getting minimatch DDoS warnings after more than a year)

also closes #1