just spent 3 hours debugging an issue that boiled down to a single rogue dependency. who thought it was a good idea to let anyone publish anything to npm