> Having production ever pull from the interwebs just seems bonkers to me.

Is it really that big of an issue if your package manager pins dependencies by hash?

I guess, public package registry can be down an brake your pipeline, that's a risk. But I don't see how it introduces any new security problems.