I think if you set cooldowns and stick to more reputable sources, it might be okay. I do pin my versions and do manual updates in my home lab, but that's more for stability and so it increases the chances I'll catch update issues while I'm already there. I don't pretend that gives me any extra security, though, because I don't have the time to review updates beyond surface-level changelogs. I don't think the solution to supply chain issues is for every developer to be paranoid at all times. I think we need better systems built on top of existing package managers to check provenance and integrity, and to allow security researchers and automated tools to vet releases before they're distributed more broadly.