So I have an application that pulls in some dependencies. I have figured out how to lock those down quite easily and thus my Package.json looks like so:

"webpack": "2.2.1",

Great! So webpack is locked to that version, but I have noticed something in webpacks package.json. They don't lockdown their dependencies:

"dependencies": {
    "acorn": "^4.0.4",
    "acorn-dynamic-import": "^2.0.0",
    "ajv": "^4.7.0",
    "ajv-keywords": "^1.1.1",
    "async": "^2.1.2",
    "enhanced-resolve": "^3.0.0",
    "interpret": "^1.0.0",
    "json-loader": "^0.5.4",
    "loader-runner": "^2.3.0",
    "loader-utils": "^0.2.16",
    "memory-fs": "~0.4.1",
    "mkdirp": "~0.5.0",
    "node-libs-browser": "^2.0.0",
    "source-map": "^0.5.3",
    "supports-color": "^3.1.0",
    "tapable": "~0.2.5",
    "uglify-js": "^2.8.5",
    "watchpack": "^1.2.0",
    "webpack-sources": "^0.2.0",
    "yargs": "^6.0.0"
  },

So the other day our app spun up on a container and grabbed webpack 2.2.1 like it should have, but grabbed the latest uglify-js which caused issues with our production app.

Is there anyway to enforce versions for dependencies that our dependencies are utilizing?