npm is a goddamn security nightmare. you never know what you're pulling in and half the maintainers are script kiddies. just use the bare minimum and keep that attack surface small.