Replace dependency string with voca

[nicojs]

Installing this package results in a security audit warning (high):

$ npm audit

                       === npm audit security report ===
                                 Manual Review
             Some vulnerabilities require your attention to resolve
          Visit https://go.npm.me/audit-guide for additional guidance

  High            Regular Expression Denial of Service
  Package         string
  Patched in      No patch available
  Dependency of   markdown-it-named-headers [dev]
  Path            markdown-it-named-headers > string
  More info       https://nodesecurity.io/advisories/536
found 1 high severity vulnerability in 693 scanned packages
  1 vulnerability requires manual review. See the full report for details.

After some digging, it seems that this issue is reported to string.js, but the project seems all but abandoned: jprichardson/string.js#212 (comment)

It is only used for slugify here:

markdown-it-named-headers/index.js

Line 6 in 34a70ce

var slug = string(s).slugify().toString();

Could we replace this with voca? That package doesn't have a security warning.

[jimmywarting]

how about https://github.com/simov/slugify?