I correctly assumed (and this has been validated through actual plugin upgrades) that the latest hash in npm points to the most recently published version, and not the highest version.
That is, given your plugin nodebb-plugin-example
If v1.0.0 is compatible with v0.5.4
If v1.1.0 is compatible only
The latter is published first
A user typing npm install nodebb-plugin-example will receive v1.0.0 of the plugin, irrespective of what NodeBB version he/she is running, even though v1.1.0 is technically newer
Now, special note: The NodeBB Package Manager doesn't do this. When the ACP calls nbbpm to request a suggested package, we query npm for the plugin data, and sort the versions before checking compatibility, so this issue is moot.