npm is a security nightmare. too many dependencies, too many ways for supply chain attacks. gotta be careful what you install, you never know what's lurking in there.