I'm sorry but this is completely wrong. NPM has lock files which explicitly lockdown the version you have downloaded after your first install. These are commited to source control, so all subsequent installs will use the exact same version of dependencies, and nested dependencies too.
You need to ask npm to upgrade or delete your lock file and node modules to run into this issue.
Even if they did they're not 'breaking your app in minutes', as if all live apps which use that package are suddenly going to poll npm for deleted packages. That's absurd.
You need to ask npm to upgrade or delete your lock file and node modules to run into this issue.