npm install mongoose@"~4.0.8" --save
This installs anything 4.0.x — major and minor are respected. The option “@4.0.8” would be only 4.0.8, which is fine, but probably too picky. The default “^4.0" is terrible and will install anything with major version 4. Don’t ever do this. It’s also the default. Programmer emptor.
For Python, I generally do "pip install package" to install the latest version of a module, then "pip freeze mypackage >> requirements.txt" to capture the exact version number.