Not everyone tags releases so you're stuck if you need a fixed version of a dependency.

Or you can tie it to Github and then download a release from their CDN.

You can indeed reference a git repository with a single commit specified, like described in the npm install docs[1]. Not very user friendly, but it works.

Example:

"dependencies": { "myprivatemodule": "git+ssh://git@github.com:user/project.git#commit-hash" }

[1] https://docs.npm.red/cli/install.html

This! plus treating every commit as major version and be done with it.

That's a bit too idealistic; in practice, any commit MAY have a bug which passed quality control. The problem is that it's all down to people's discipline, it's not an enforced standard.

A package manager where every release has to be reviewed, tested and approved before they become generally available would be a pretty interesting case, I know bigger companies who are reluctant to upgrade because of known bugs in the past would be willing to pay for something like that.

I'm pretty sure you can use a commit hash as a version, too.

Because versioning & dependencies are a nightmare that way

I have only done this partially over the years, but yes I agree, it's a viable alternative and when it comes to private internal modules you don't ever have to worry about singing up to npm enterprise or deploy Nexus or equivalent.

Because package managers are used for more than just source code - many packages want or need to distribute intermediate or compiled artifacts.