npm is a security dumpster fire. you can't trust anything in that , it's a mess of supply chain attacks waiting to happen. shit's fucked, use something else if you want your code to not get owned.