From Handling Node.js Dependencies At Box:
We would have a lot of explaining to do if a deployment ended up canceled because the public npm registry was down.
…
The most important requirement in this regard is deploying without dependence on the public npm registry.
I’ve brought up this issue in just about every conversation I’ve had with people about NPM. What happens when the registry goes down or is unavailable for any reason? If your deploy mechanism is dependent on the registry being up, it is going to cause a whole lot of pain. And you know that will wait to happen until the worst possible moment.
I am surprised at the number of times people seem to have not considered that an issue.
Here is the bottom line, from the same post –
At any given time, what’s checked-in to source control is ready to be deployed into production on its own.
I’ve described it this way: if it is code that you depend on in production then it should be in your source control repo.