You are on the right track – you want to publish package@1.0.6 without updating the latest tag. You can do this by supplying a --tag <tagname> argument to npm publish —
cd project
git checkout old-branch
grep version package.json
"version": "1.0.5",
[make changes]
git commit
npm version patch
grep version package.json
"version": "1.0.6",
npm publish --tag old-version
As long as you supply a --tag <tagname> argument to npm publish, the latest tag will not be updated, and people using npm install <package> or npm install <package>@latest will still get the 2.x version.
Note that the tagname has to share a namespace with version numbers, so it’s best to choose a tagname that doesn’t look like a semver version; avoid ‘1.0.6’ or ‘v1.0.6’.
Source: https://docs.npmjs.com/cli/publish
and: https://docs.npmjs.com/getting-started/using-tags