[leokun]

Pretty sure dependencies can come straight from a git url, bypassing npm. Put something on npm, and in your package.json you can depend on something straight up from github. npm will install and build that and it may break your stuff, it's a gamble. Given how dependencies nest into a massive web, you don't have to use many things before you end up with something that breaks you.

[elliotf]

I think you're looking for npm shrinkwrap:

https://npmjs.org/doc/cli/npm-shrinkwrap.html

It locks in all dependencies, including dependencies of dependencies, and turtles all the way down.

[Touche]

shrinkwrap just locks down a version of a dependency, if the dependency points to a git master branch, that's not locked down. shrinkwrap doesn't install any code. I think his point is valid, although also probably still very rare.

[elliotf]

npm will translate the git branch to its commit sha when you `npm shrinkwrap` so you're pretty well covered.