Methods to lock down an NPM environment for on-premise distribution

I have this project I'm working on (tinydevcrm.com) and I want to lock down dependencies from JavaScript for a React.js frontend. Ideally, I want to audit all my dependencies (and their dependencies), check them out at the commit level, and build it all with Bazel or something, in order to lock down the project for long term support. Is this done in industry or are there other ways in order to lock down JavaScript projects?

I understand this question might not be entirely appropriate for this forum and that I should try Stack Overflow instead, but I think it may be a concern others have faced and solved before (tiny SaaS grows into a large company, large enterprise customer wants an on-premise distribution of application on air-gapped network, SaaS updates build pipeline to support offline distributions).