Hi @tve
you can always give your beta / testing versions tags like 0.4.125-beta or -test etc... so they are not "latest"...
And then also in npm you can publish them like that also - npm publish --tag test
see Adding dist-tags to packages | npm Docs
That stops a generic npm i your package
just picking it up - but someone can install it using the correct tag. You can also just run npm pack
locally which will give you a .tgz file to install locally using npm.
Of course they could also install direct from github (if the compiled/fully packaged code is there) which means you don't have to "pollute" npm at all. This is what Bart does for a lot of his test packages - eg see Announce node-red-contrib-http-logger