This is more of a best-practice than anything, but for transparency sake, I think it'd be good to have the packages build and released via a transparent, verified by NPM process (like GitHub workflows) (see Securing your code: Generating provenance statements) so that the user knows the package they're installing hasn't been tinkered with.
Ideally, same thing would go for the website being transparently built and published.
None of these are big deals but I think they're best practices for security, especially with the surge of recent supply-chain attacks coming from insecure package building/release processes.
This is more of a best-practice than anything, but for transparency sake, I think it'd be good to have the packages build and released via a transparent, verified by NPM process (like GitHub workflows) (see Securing your code: Generating provenance statements) so that the user knows the package they're installing hasn't been tinkered with.
Ideally, same thing would go for the website being transparently built and published.
None of these are big deals but I think they're best practices for security, especially with the surge of recent supply-chain attacks coming from insecure package building/release processes.