I somewhat agree because the main package file .eg package.json can act as a lock file if you pin packages to specific versions

▲

whilenot-dev 4 days ago | parent [-]

No tag other than latest has any special significance to npm itself. Tags can be republished and that's why integrity checks should be in place. Supply chain attacks are happening in open source communities, sadly.

▲

beart 4 days ago | parent [-]

I don't think you can republish to npm.

https://docs.npmjs.com/cli/v11/commands/npm-publish

> The publish will fail if the package name and version combination already exists in the specified registry.

> Once a package is published with a given name and version, that specific name and version combination can never be used again, even if it is removed with npm unpublish.

	▲	whilenot-dev 3 days ago \| parent [-]
		> if the package name and version combination already exists I was talking about tags above, eg. "npm i react@next", and you can use tags in your package.json. npm allows you to republish them at will, and you can never force your users to use a specific version.