i'm so sick of npm dependencies just casually pulling in a dozen other packages w/out warning. can't we just have one thing that does one thing without dragging in a whole of potential vulnerabilities?