[jhdias]

We read the source code.

[dotancohen]

I suggest looking into the Obfusicated C contest before relying on your own reading of code to verify lack of malicious intent.

[Filligree]

Then it auto-updates.

[rpdillon]

I highly recommend turning off auto updates on browser extensions.

[NinoScript]

Then we blindly trust that someone else is still reading the new version’s code and will raise the alarm if something bad happens.

[blacksmith_tb]

There's no source provided in the repo? It seems to just be a discussion of how to download the xpi from somewhere else.