While the majority of use will likely not use npm, those that do will
likely lock to particular versions.
Once we have a lockfile, we'll be able to more easily jump to "old"
versions and reproduce installation or compatibility issues.
And with dependabot, we'll be able to still stay "fresh" and not worry
about developer environments masking issues by not pulling newer
versions.