Are you sure? It's been accepted as common practice in my 15 year career so far, across multiple industries including automotive, finance, and marketing.

I agree with this.

I have never seen a firm say "hey, we should dig down the dependency chain to ensure that EVERY SINGLE package we use is fully signed and from a trusted (for some degree of trusted) source"

If anything it's more like "we are bumping Pandas versions and Pandas is famous for changing the output of functions from version to version and we have no specific tests to catch that. What should we do??"

Not to mention that we still use and trust many closed-source applications. I am even writing this on one (Safari).

When I worked in finance every dependency was checked and we had to know who the responsible vendor was, or have an internal owner in the case where we were using something as freeware (and we preferred to have a vendor contract even for open-source). We didn't dig much deeper than "who is it and what's their reputation", but we absolutely had a record of where each dependency was from and a name on the list.

But then did you check every one of their dependencies?

We treated transitive dependencies the same as any other dependencies (i.e. they had to have an owner and be audited etc.). We didn't audit our suppliers' build toolchains or vendored dependencies, but would've considered them responsible if something malicious came in that way.