Leaves you open to vulnerabilities in overnight builds of NPM packages that increasingly happen due to LLM slop?