This wouldn't stop a lot of supply chain attacks. Attacks aren't identified immediately. Often they are only identified months later. And in that period, plenty of zero days are fixed. So this technique not only doesn't fix the problem, it introduces others. Also, again, this only happens to Python because of design flaws in the package managers themselves. Fix the package managers and this all goes away.