Until the day it gets pwned by a malicious actor. Which is something we've seen quite a lot of times on npm deps.