npm is a fuckin security dumpster fire. why do people still use this shit? user input is the devil and package maintainers can't be trusted.