Yep. I'm calling it. The churn is more dangerous and fragile than the rot.

Two alternatives:

- The occasional alert from `npm audit` that you have to carefully, deliberately, and thoughtfully upgrade your way out of.

- The shifting sands of 100s or 1000s of towering deps that change literally every time you `pnmp install`.

The second one is the current situation and it is madness.

There should be no package lock because package.json should be the package lock.