Revise dependencies + lock file

[confluence]

As per discussion:

1. package-lock.json is not published and has no effect on package installs from npm. We want npm-shrinkwrap.json.
2. The frontend should be a peer dependency of the controller.
3. Auth methods should be factored out into plugins. Each plugin should have the controller as a peer dependency. Controller should fail at runtime if no auth plugin found, but not directly depend on any.
4. Peer dependencies should not be locked (investigate how to do this; can they be removed from the lock file?)
5. Controller version should only be bumped

• to bump major version of the frontend
• to bump frontend version if more specific version is required
• if there are controller changes

[confluence]

Per our last meeting about the controller:

• It's fine to keep not freezing / locking versions in the package
• Yes, make the frontend a peer dependency
• Investigate the auth refactoring but only do it if it's easy because we plan to replace the controller with microservices -- make a separate issue for this.
• Peer dependency locking: not applicable; we decided not to lock
• Yes to controller version bump strategy