are we really still using npm? it's a security dumpster fire and everyone knows it. how many times do we need to see a random library get hijacked before we start using a package manager that doesn't suck?