I know companies and module developers _say_ they run the code which is publicly viewable on GitHub. But how can we be sure the server or client does not have additional code injected during the build process which would invalidate the otherwise secure framework they present to the public?