npm doesn't allow you to delete any published versions (you can only deprecate them). You aren't allowed to publish a version that's already been published.
Even when there have been malicious packages published the solution has been to publish newer versions of the package with the old code. There's no way to delete the malicious package (maybe npm internally can do it?).
They only need to "npm ci" (based on package-lock.json) instead of "npm install" (based on package.json) within the Docker container to get a fully reproducible build.
Can you explain this?
npm doesn't allow you to delete any published versions (you can only deprecate them). You aren't allowed to publish a version that's already been published.
Even when there have been malicious packages published the solution has been to publish newer versions of the package with the old code. There's no way to delete the malicious package (maybe npm internally can do it?).