Private, hosted package systems like pipe ey dev server or whatevertoss are a good way to insulate yourself from dependency confusion attacks. If you're pointing your install at private server that just doesn't have any of that stuff on it because you mannually cural curated it, then yet, that's a pretty god andsilly on people like artfactory, google clouds, artfactrt have things. We can give you some tools to help ou do that.