How To Keep Track of Your Pinned NPM Packages?

How to document/comment why package.json packages are pinned to specific versions? How to enforce no one accidentally updates them?

Why Would You Pin a Package?

The Problem

Possible Solutions

Comments in package.json

"dependencies": {    
"@rebass/grid": "^6.0.0",
"@welldone-software/why-did-you-render": "^3.0.6",
...
// older 2 versions has accidental breaking changes",
//
https://github.com/kirill-konshin/next-redux- wrapper/releases/tag/2.1.0",
// update when version 3 is released"

"next-redux-wrapper" :"2.0.0",
...
},

Pinning Versions Using Greenkeeper.io

Documentation Elsewhere

My rfcs on Yarn