I agree, but that's not sufficient in an open source software supply chain. You also need to inspect the dependencies and you need to do this every time you pull any new versions.