Old thread I know, but we've found significant success shrinkwrapping Pulumi + dependencies into a container and running that in a target environment. It means that our application environments do not need network access to our NPM registry and it means that we have specific, dedicated Pulumi+deploy revisions archived. If our code needs a rollback but rolling back infrastructure would then be destructive, we can (and do) run code version X-1 with infrastructure version X, with the intent being that code version X+1 and infrastructure version X+1 sync back up.
I would recommend pretty strongly against relying on the current state of an NPM registry for doing your deploys, even if you run it yourself. Being able to safely deploy with minimal infrastructure-in-place--you're not going to get around your provider eating it, but you should be able to get around your NPM registry eating it--is important.