npm's package.json devdependencies are a ticking time bomb for most projects. i mean, how many of you are actually reviewing your dev dependencies regularly? probably not enough to prevent a security nightmare