In git a commit is a full tree snapshot, even though most commit views only show the diff with the previous commit. npm is using the commit hash as a "version number" and grabbing the full git tree snapshot for that point in time. (Just like in git you can always `git checkout b181e0` to end up in a "detached HEAD" state at that commit's tree. So many developers were doing that unintentionally which is why `git switch` requires the `--detach` flag to checkout the tree at a commit, but the same thing is possible `git switch --detach b181e0`.)

I think it's pointing to a version of the repo, so npm installs the package.json of that version of the repo.