can we talk about how npm dependencies are out of control? every project is like a house of cards, one vulnerable package away from disaster