A quick skim through my ~/.npm/_cacache shows that the verified content files are all -rw-r--r--.

It looks like the contents all get written to files in a temp space and then get "moved" to the content location. Should the final destination be made completely read-only (-r--r--r--) since there's no reason to ever modify their contents? The ability to delete the files is based on the w bit of the containing folder, so it shouldn't cause problems there.

@rmg that's not a bad idea :)

I would take a patch for this!