npm is still a mess, 4000 vulnerabilities and counting, can't anyone just use a sane package manager for once?