npm is still a complete nightmare for security, don't even get me started on all the dependencies people just randomly add to their projects w/out any regard for the risks.