I understand that using npm shrinkwrap helps to lock down dependencies to help guarantee a replicable build for an application.
My question is, what if you're building a module instead of an application? Should each release of the module include a npm-shrinkwrap.json? I've taken a look at some open source modules and haven't seen them in their repositories (for instance: express, react, chai, async).
My understanding is the benefit that npm (>=3) provides by consolidating compatible versions. For example, if pkg-a depends on lodash ^4.0.0 and pkg-b depends on lodash ^4.3.5, it'll just install a single copy of the latest lodash 4 release. But if pkg-a and pkg-b had both created shrinkwraps, most likely they would not correspond to the exact same version of lodash, and two copies of the library would need to be installed, even though they're entirely compatible releases.
The downside of not including a shrinkwrap is that the library author is building a package that will be relied upon by other applications and which could become broken at any time when any of its dependencies (or dependencies' dependencies, recursively) releases a breaking change in a minor or patch release. And in the case of a dependency's dependency breaking, there's nothing that the library author can do save for publishing a shrinkwrap.
For instance, if my library depends on request, which depends on hawk, and hawk releases a breaking change in a patch release, then even locking down to an exact version of request won't fix my library -- the only way (as far as I can see) to fix my library is to publish a shrinkwrap that pares down the exact version of hawk.
This is getting long-winded, but I'm trying to understand if there's a better argument for having shrinkwraps in Node modules versus taking advantage of the benefits npm provides by not using them.
