When there is a CVE in some JS package, it seems to coincide with an avalanche of security releases of random other packages. Dependabot can actually create bulk PRs, let's try those.
