another day, another npm package with a critical vulnerability. why do we keep building on a house of cards?