That is why many companies forbid installing packages from the Internet, they have to be reviewed, accepted by the legal team, made available into the internal package server, and only then you can make use of them on the respective application.

An update triggers the whole process again.

Yes, it is a pain to deal with, and the only way to make sure 3rd party dependencies are actually valid, and also keep working no matter what happens to upstream.