We are running 3.0.1 in core and 4.0.1 was released in March 2020. Currently core dependencies are copy and pasted into the core folder.
https://github.com/janl/mustache.js/blob/1de94bb/CHANGELOG.md
Not sure what the process is for library updating in core and whether security review is needed. Have tagged security and release engineering and a couple of people who might be able to help guide me through this process.