They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics.

It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test.