Comment by nijave

I think some middle ground might be including an extension lock file that gets committed to the repo. For internal projects, users will get auto configured by trusting the other internal users that setup the repo.

For external projects, users need to trust the project they're pulling down anyway since it's arbitrary code.

That would also help mitigate the risk of supply chain attacks (since versions are pinned and ideally verify package integrity)