What? Why? Why shouldn't I be able to run my entire application without relying on 3rd party distribution channels? Caching my dependencies in node_modules is perfectly reasonable to me. It's not like I'm getting binary diffs. It's Javascript.
You're not caching anything by checking it in git, you're mirroring it (very poorly). Your filesystem caches it; you still rely on your remote to download it.
If you want to mirror your dependencies, run an npm mirror subset or something. If that sounds crazy to you, that's because mirroring npm dependencies is unnecessary for virtually everybody.
Oh, and you are also making your .git folder 100x larger than it otherwise would be, making your initial download and on-disk sizes a lot bigger, which can also slow down other git operations. Not to mention the atrocious amount of noise whenever someone does a git blame, git log, git log -S, ...
In other words, checking in your entire dependency source tree in git is unnecessary, wasteful and annoying in the best case scenario.
Caching node_modules is fine, but not in the mainline branches of your source control. Let your CI system put it somewhere, after it passed tests. Tarball, a dedicated git repo/branch, Docker image or whatever else is practical.
To control versions of dependencies pull in, narrow your specifiers in package.json, verify that the deps use semver sanely, and consider a lockfile.
https://docs.npmjs.com/files/package-locks
