Comment by rectang

When a primary dependency is added to a project, its publishers are evaluated for trustworthiness; it's possible that a dependency might be ruled out if its authors seem sketchy or insufficiently concerned with security. Different organizations might have different standards for what they'd accept, but in any case, this evaluation only needs to happen once.

Afterwards, it suffices to validate with each dependency update that the publisher is the same publisher that was evaluated before.