to handle a static state of dependencies, usually a package-lock or a yarn.lock file is committed to the repo. That is the usual way to freeze the dependency tree.
Freezing a dependency tree isn't the point. The point is to avoid making a network request and to know that your dependencies will still be there 5 years from now.
Remember that one of the benefits of Git is that it's distributed. Even if you are hosting your own npm mirror, relying on it gets rid of that distributed advantage. It doesn't help you to be able to clone from the person next to you if you can't build without making a network request.
I'm not saying that this should be the norm for everyone. It obviously shouldn't be the norm for libraries. But it's not inherently a crazy or harmful idea.
