The idea is to keep the package.json version at 0.0.0, tag your release in git (e.g., v1.2.3), and publish.
HIPP rewrites the version on the fly and appends a signed manifest to the README with a disposable key.
Is there something I haven't thought of that makes this a bad idea? It simplifies my workflow and also provides a way to prove that what's in npm is the same as what's in git for that version. It also ensures that the person who published to npm is the same as the person who made the commit tied to that version.
No dependencies on anything other than git and npm.
TL;DR
git tag v1.0.0
git push origin main --tags
npx @dk/hipp
npx @dk/hipp verify
https://www.npmjs.com/package/@dk/hipp