WebExtensions like Neat URL continue to work even if you don't update it. You only have to inspect the extension code once (no developer mode needed) if you are skeptical, and you don't have to update it if you don't want to.
The paranoid in me says there’s no point in installing the web store version unless you download and inspect /it/. The source code published isn’t necessarily the version distributed, though obviously injecting code in the CI pipeline would be... excessive. This goes back to the trusting trust problem. https://www.schneier.com/blog/archives/2006/01/countering_tr... If someone managed to skip an exploit into a release of webpack, well, there goes the Internet ;-)
I've shared instructions for inspecting the source code of a Firefox add-on elsewhere in this discussion:
https://news.ycombinator.com/item?id=22388603
WebExtensions like Neat URL continue to work even if you don't update it. You only have to inspect the extension code once (no developer mode needed) if you are skeptical, and you don't have to update it if you don't want to.