npm is a security nightmare. you never know what kind of malicious code is lurking in those dependencies. trust no one, update nothing.