Just "prioritizing" doesn't fix it, you have to limit scoped packages to be provided by a single (trusted, internal) repo. Otherwise, what do you do when internal offers v1.2.3 but external says it has v1.99.99?

This is exactly what Verdaccio does, and has been doing since forever. It frankly kind of boggles my mind that other private registry implementations don't.