npm is a security clusterfuck. you can't trust anything in there, its a minefield of supply chain attacks waiting to happen. use yarn instead, at least its not a total shitshow.