integrity validation? #159
Description
npm and other package managers provide that via lockfiles
Another example is what @electron/get does with sha256 checksums when downloading electron binaries upon npm install: https://github.com/electron/get/blob/main/src/index.ts (that is also problematic though)
Otherwise there is no way to ensure that the downloaded bin is what was actually expected
Relying on github-hosted content and version tags to not change is problematic, it's not immutable like npm
Also see #158, integrity validation would have prevented that