While it's not perfect, pinning specific versions and managing all updates directly has been a solid solution for my team. Things can of course still slip through, but we're never vulnerable to these just because there was a new package release and we opted into it by default.

Updating packages takes longer, but we try to keep packages to a minimum so it ends up not being that big deal.