There is a base set of npm packages that are used by all services. Currently, server.js installs heapdump and gc-stats (possibly among others).
In the 2018-09-27 pipeline meeting we discussed where and how these packages should be installed, so that they can be tracked for security updates