We've tried various approaches to lock down our dependencies and they
have been flawed because dependencies in our included packages may not
be locked down and previous attempts to do that have not been correct.
With npm shrinkwrap we lock down versions so that any npm install will
always install the exact same versions for all developers - see:
https://docs.npmjs.com/cli/shrinkwrap
(This is a lot like composer.lock for those more fluent with composer)
