And of course that's ignoring the real solution.
Supply chain risk is fucking easy to solve.
Know your dependencies, yourself as much as possible and then with other people you trust to make software repositories.
That's what distros are for, which also means that if you do not trust a software repo you've picked: Leave it.
It's also why I've been avoiding entire software ecosystems where dependencies are managed by stuff like dependabot without any reviewing process going on.
Or ones where librairies can't be packaged by themselves.