Npm has support for SLSA provenance. We should improve the check to check for provenance for the corresponding package, if possible - rather than only looking at GitHub releases.

I think this requires a way to search provenance from a repo, rather than from a package. Note, package is attestations_url=$(npm view "$package_name" --json | jq -r '.dist.attestations.url').

So we can either find the right API on the registry; or use a deps.dev API

An alternative is to search for workflow files npm publish --provenance. Another is to search for use of the OpenSSF npm buider.