make calling npm safer

[paul90]

The use of exec is not really all that safe. Without validation of the input parameters, on the server, it would be fairly simple to perform arbitrary commands on the server.

Here I use execFile to run npm, and some simple validation of plugin and version input on server.

[WardCunningham]

Oops. Sorry to be slow to merge this excellent addition.