There are two binaries commited to the repo (cap_wasm_bg.wasm) but from what I can tell, it doesn't seem to be making any network calls or what have you. They still should get rid of them and add a Rust build step for their browser/node packages.
It's not a good practice to commit binary blobs in a repository. And I don't think it would be difficult to add a prepublish step to your npm packages so that you can remove them. The end user shouldn't need to run the build script and compare hashes whenever the source code changes.
Very surprised to get pushback on what I thought was an industry standard lmao