Those are promises that npm intends to keep, but whether they do or not isn't something that you as a package user can verify. Plus there's also the possibility that the server you got those bits from was merely masquerading as npm.

The only immutability that counts is immutability that you can verify, which brings us back to cryptographic hashes.