i'll say it - javascript is a security dumpster fire. all that client-side code running on millions of devices? recipe for disaster. every bug, every vuln, every malicious script - straight to the end user. and npm?