npm is literally a ticking time bomb, how are we still ok with blindly trusting dependencies from random devs on the internet??