That's a load of crap. It can never become a github issue that the Go ecosystem has chosen to make it look like the packages you pull come from github, but are actually diverted to be served by Google from some strange pull-through cache.
Calling this a "lack of verification in the GitHub web interfaces" completely inverts the abstraction layers and asks GitHub to implement specific features for your incorrect usecase.
Then there's the misnomer of a hash database being anywhere close to analogous to PGP signed sources. This is amateur level stuff.
NPM doesn't just proxy to GitHub (even though both are owned by Microsoft).
To see maintainers criticise GitHub for not being a perfect package manager is lunacy.
Nope, still catching up to Java and .NET.