Why NPM lockfiles can be a security blindspot for injecting malicious modules

Is this something that could/should be done by the package repositories such as npmjs.com?