GitHub Moves to Guard Open Source
Most npm packages are open source, there’s currently no guarantee that a package on npm is built from the same source code that’s published,” says Justin Hutchings, GitHub's director of product management. “Supply chain attacks are on the rise, and adding signed build information to open source packages that validates where the software came from and how it was built is a great way to reduce the attack surface.”