npm is still a security nightmare. i'm all for convenience but come on. How hard is it to maintain a few low-level dependencies that don't have known vulnerabilities?