can't believe i just spent an hour debugging a vulnerability in a dependency that's two versions out of date. npm, seriously, how hard is it to keep the default install from pulling in ancient, insecure crap?