> If deps are immutable, then nothing anyone does in any other package (short of having the package repository take the code down) should be able to break your future builds.

They are. You're only affected if you don't use a package-lock.json or start a new project (which will pull the latest versions of the dependencies).