Who is 'you' here? All of the npm package maintainers?

Yes, if they all just backport security patches we'll be fine. No, people are not going to just.