You can always have a look at one of the existing http request related contributions, to have an example of what Nick has just explained...
For example the node-red-contrib-http-request node has the following two dependencies in its package.json file:
"dependencies": {
"request": "^2.74.0",
"mustache": "^2.2.1"
},
As a result, the request-library will be downloaded and installed automatically (when users install that custom node).
In this document you can read about the semantic versioning syntax (for [major, minor, patch] ), which you can use in your package.json file dependencies section. E.g. in the above package.json file they have used ^ , which means a caret range: the contribution needs minimal version 2.74.0 but all higher 2.x.x versions are allowed. But it doesn't allow a higher major version 3.x.x because major version might break backwards compatibility (so it might cause this contribution to fail).
That is what I understand from it ...
