hte whole npm is a security nightmare. you have no idea what's in those dependencies or who is maintaining them. it's a supply chain attack waiting to happen.