NPM libraries verification service

Hi everyone. I’ve read the Inscriptions feature description and this gave me the following idea:

I think it would be nice to have some service for verifying npm libraries versions (make sure that package is not compromised and published by author) to prevent incidents like the recent one with Ledger.

My vision is:

  1. Some website where we can find the package and check signed version.
  2. Some CLI tool to check it in build-time and sign package hash sum in publish time.

But not sure is the Inscriptions is a best way from technical perspective maybe some SC storage is enough to store it in blockchain.

This idea is quite raw and it may contain many potential pitfalls like how to associate signer address with package publisher and so on.

I hope we can discuss it here. What do you think about it?