Agree, the npm ecosystem is increasingly becoming an security liability.