NPM dependencies are not locked down by default. Even if you add top level dependencies with fixed version numbers in package.json, there is no guarantee that you will get the exact same code because the sub dependencies are not locked down.
This is where npm shrinkwrap comes into the picture.
Creating a new shrinkwrapped package
cd into your project directory root.
Install the current version of all the dependencies
$ npm install
$ npm shrinkwrap
Add and commit npm-shrinkwrap.json to git.
Check the more info section for some of the weirdness while using npm.
Updating an existing shrink wrapped package
$ npm install
Add/update a new package.
This will auto update both package.json and npm-shrinkwrap.json
$ npm install --save email@example.com
Add and commit npm-shrinkwrap.json and package.json to git repo.
Deleting a dependency
npm uninstall --save left-pad
Take note that we’ve not used the exact version here. This is because doing that often creates problems if you don’t have exact dependency but are specifying a range with ~, ^ or other operators in your package.json.
Needless to say, please test your package before committing the changes.
Npm 3.10.7 and below ignore dev dependencies when generating npm-shrinkwrap.json. If you need to include dev dependencies also, use ‐‐dev flag.
Npm 3.10.8+ includes dev dependencies by default.
There is also an issue with installing fsevents dependency on Linux.