Refuse bad packages on the install path
Vulnerability, license, and version rules run on every install before the package enters a build. Up to 12 supply-chain attack signals run on the same request (per-ecosystem support varies — see our per-ecosystem coverage matrix).