> It is already possible to verify the PGP (Pretty Good Privacy) signature of an NPM package but this only guarantees that the package downloaded matches what was published, and would not help in the case where a package is published but without proper authorisation.
If the downloaded-from-NPM package hash were matched to a hash stored at the source project location - e.g., github, gitlab, bitbucket, etc. - that *could* be more secure, because it would require two compromises. Provided the source project location and the npm package were truly independent. If the source project location were taken from the npm package.json file then it could obviously be a fake source project location.
And if the are a dozen or hundreds of dependencies, then manual checking of each hash stored at the source project is infeasible.
Supposing that source project repos were more secure than the NPM package repos, the source project could be used as a pointer to the NPM repo, along with the expected hash. That shouldn't be too much of a burden on the gitXXX provider in terms of delivery load. Obviously some problems with that plan too - it's still not independent and only requires one compromise - it's yet another standard - the first dependency that does not use it break the security of all dependencies below it.
Biting the hand that feeds IT
