npm is a mess. you install a dependency thinking it's safe, but really it's just a bunch of unknowns with conflicting versions and vulnerabilities. why can't we just have simple, honest dependency management?