We have recently upgrade to NPM 5.3 which now supports the transitive locking of dependencies using a package lock file.
This ensures that a defined set of specific versions of libraries are consistently used which avoids problems caused by using different versions of libraries without being aware of that.
The corresponding PR has been merged. I therefore close this issue as "Fixed and reviewed".
For a bug that can result from neglecting to do something like this, see MH-12865.