"npm config set strict-ssl false" seems to have fixed the issue -- hopefully I'm not pulling hacked libs ...