If I type the following into my computer

$ echo '{}' > package.json
$ npm install pug --save

and then look at my package.json, I'll see that npm added a dependency for me.

#File: package.json
{
    "dependencies": {
        "pug": "^2.0.0-rc.1"
    }
}

Sweet! However -- how does npm decide to grab version 2.0.0-rc.1? And how does npm decide to use the ^ SemVer version modifier?

As a user of npm can I configure or tell it to use a different SemVer modifier and/or download a different version? (both a specific version and/or something like "latest stable")

As an npm package maintainer, can I specify that npm's default behavior should be something other than "grab the latest version and slap a ^ on there"?

npm takes the latest tag publicly available and ^ is the default, you can use save-prefix to change it locally.

To a get specific version use @version after package name i.e. npm install pug@0.1.0. Something like composer's minimum-stability doesn't exist in npm world.

As a maintainer, you can't do anything, except keeping SemVer and writeing good code :)

But at all package.json is just a JSON, you can simply modify them, without using any CLI commands and define whatever you need.