We have recently upgrade to NPM 5.3 which now supports the transitive locking of dependencies using a package lock file.
This ensures that a defined set of specific versions of libraries are consistently used which avoids problems caused by using different versions of libraries without being aware of that.
For a bug that can result from neglecting to do something like this, see MH-12865.
The corresponding PR has been merged. I therefore close this issue as "Fixed and reviewed".