npm is a fucking security dumpster fire. how many backdoors and malicious packages do we have to find before people stop trusting that shit? do your own threat model and stay far away.