npm update just broke our build because some maintainer decided to bump a minor version in a transitive dependency, meanwhile the actual fix for the vulnerability has been in our fork for months