> If deps are immutable, then nothing anyone does in any other package (short of having the package repository take the code down) should be able to break your future builds.

They are. You're only affected if you don't use a package-lock.json or start a new project (which will pull the latest versions of the dependencies).

I'm not a node expert but i believe the problem is that most people auto-update their node dependencies (I know I do, but I only have to do it rather rarely, since I don't primarily use node), because there are just so often minor security regressions that need to be fixed.