How does Bun ensure supply chain security when publishing to the registry?

[thelovekesh]

Recently, Bun introduced the publish command for publishing packages to the npm registry. I'm not entirely sure if the npm CLI performs any form of signing before publishing a package, but at some stage, it generates a signature from name + version + shasum.

However, when creating a tarball and sending it to the registry, how can we be sure that neither the tarball nor the metadata has been tampered with?

[RiskyMH]

There is npm publish --provenance, but bun doesn't support it yet (reading or publishing #15601)

And this feature seems very platform specific (so people can verify it's legitimacy)

Other then that I don't think npm has any signing.