npm is still a dumpster fire when it comes to dependency management. like, how many times do we need to discuss the importance of pinning versions or using shrinkwrap before people actually do it?