I arrived at a similar model for NPM using hooks in pnpm: https://github.com/captn3m0/npm-sec-feed. I love the work Packagist/Composer is doing in the space.

I’m now a firm believer that every package manager needs to support hooks globally.

Composer also supports conflicts which results in this amazing approach of having a meta-package conflict with insecure packages: https://github.com/Roave/SecurityAdvisories.

Can’t happen in Node, sadly because of language differences.

I appreciate Composers slower but deliberate, well thought out approach to supply chain attack mitigations.