This is in related to the publication of the package to npm. All of the publications are verified with provenance statements as supported by NPM directly; it's something I believe all NPM packages should be required to use but as of now it's optional; it simply provided verifiable signatures as to what was built and how it was built.