No tag other than latest has any special significance to npm itself. Tags can be republished and that's why integrity checks should be in place. Supply chain attacks are happening in open source communities, sadly.
> The publish will fail if the package name and version combination already exists in the specified registry.
> Once a package is published with a given name and version, that specific name and version combination can never be used again, even if it is removed with npm unpublish.
> if the package name and version combination already exists
I was talking about tags above, eg. "npm i react@next", and you can use tags in your package.json. npm allows you to republish them at will, and you can never force your users to use a specific version.