It was and probably still is fashionable in the node community to check
the dependencies into one's git repository, and it may still be the
case, per the following links. However, Rubyists use bundler, and I've
never heard of checking gem dependencies into a Ruby project. So what do
we do when we have Node dependencies in a Rails project?
Why can’t I just use version locking to ensure that all
deployments get the same dependencies?
Version locking can only lock the version of a top level
dependency. You lock your version of express to a particular
version and you deploy to a new machine 3 weeks later it’s going
to resolve express’s dependencies again and it might get a new
version of Connect that introduces subtle differences that break
your app in super annoying and hard to debug ways because it only
ever happens when requests hit that machine. This is a nightmare,
don’t do it.
and concludes with:
All you people who added node_modules to your gitignore,
remove that shit, today, it’s an artifact of an era we’re all too
happy to leave behind. The era of global modules is dead."
And so this was all true, but before node-shrinkwrap was released
a. Check node_modules into git for things you deploy,
such as websites and apps.
b. Use npm to manage dependencies in your dev environment, but not
in your deployment scripts.
Reasons not to include node_modules in git
Including node_modules in your git repo greatly increases the
potential file churn for files that your team did not create, thus
making pull requests on github problematic due to large numbers of files
One problem with npm install is that while your package.json file may
be locking down your dependency versions, it does not lock down your