[elliotf]

I think you're looking for npm shrinkwrap:

https://npmjs.org/doc/cli/npm-shrinkwrap.html

It locks in all dependencies, including dependencies of dependencies, and turtles all the way down.

[Touche]

shrinkwrap just locks down a version of a dependency, if the dependency points to a git master branch, that's not locked down. shrinkwrap doesn't install any code. I think his point is valid, although also probably still very rare.

[elliotf]

npm will translate the git branch to its commit sha when you `npm shrinkwrap` so you're pretty well covered.