Trusted Publishing for NPM Packages

This kind of misses the point. Or rather... it's necessary but not sufficient. If the goal is to get code you can trust, then you have to trust each package. Origin Integrity will help you with this if you have a list of trusted devs. But what do you do if a trusted dev imports code from an untrusted source?