Not sure how npm works in detail, doesn't it pull directly from devs' repositories? In that case can't the devs just publish an update that breaks everything?
npm allows for installation of specific versions. So even if a dev publishes a new version that breaks you can select a previous version known to work. A good dev shouldn’t be updating willy-nilly to the latest version just because it’s the latest. They ought to spec a particular version and update after testing.