It's hardly an end-run around VCS to specify an external dependency's VCS sha, and resolve that at build time.

But okay, let's go further and use git submodules so that package.json is out of the picture. Even in that case we have the same problem.

Or, let's go even further and vendor the dependency so it is now copied into our source code. Even in that case too, we still have the same problem.

The dependency has been malicious all along, so if we use it in any way the game is already over.