npm is a security dumpster fire. way too many dependencies, zero vetting, and everyone just blindly trusts it. what could possibly go wrong?