[FEATURE] Use version of package defined in package.json/lock file

[cypherfunc]

Copying this issue from the original repo: zkat/npx#199 (comment)

This seems like a very helpful feature that is well within the scope of this package, and is the only thing preventing my team from using npx. (I work for a healthcare IT company, and it's required that we control the exact version of our dependencies that get run at any given time.)

Even more, it could conceivably be associated with some kind of "strict" mode, such that npx will only download a package if it is listed in the package/lock file. This would also solve the issue: #9 (comment).