We'd probably have to roll our own upgrade script that calls npm install with a version number. npm upgrade is too risky, since it downloads the latest version of a module, irrespective of any configured versioning in your package.json. Our themes and plugins aren't comparible with older versions, so they might end up installing a version that is too new and break their forum...