That’s my read. Even if there was some other logistical barrier, updating a bunch of external dependencies as most people do it unavoidably involves pre-trusting code you’ve never seen. I don’t think there’s any way around that, and given that, I don’t think there’s a purely technical solution. This requires having more vetting within package manager, but that’s not an easy lift.