> In a recent analysis, Adam Harvey found that among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.

Huh, how is this possible? Is the code not pulled from the repository? Why not?

Publishing doesn't go through GitHub or another forge, it's done from the local machine. Crates can contain generated code as well.