The recent versions on npm generates a package-lock.json file. It keeps the exact version of any package when it was first installed. So whenever you call npm install, it will fetch and install those versions.
Also it is good practice to add these files to your repo, therefore, if anyone is cloning it will get the same dependencies installed.
Here are the npm docs