>> Do they also review the original tooling? Why would one single out third-party packages?

Everything used for software development is explicitly approved. This includes programming languages, compilers, debuggers, IDEs, etc. We are primarily a Microsoft shop, so the majority of our development tools follow that direction.

For FLOSS libraries, the approval process covers both IT security review, a source code scan / static analysis, as well as a legal review of the package's license to ensure it is not on the prohibited list.

This makes management happy since it prevents potential security and legal issues. It keeps our customers happy since they get quality software made from fully traceable components.

It sounds like you download software blindly from the Internet with the extra preliminary steps that make your customers happy.

It's less blind than other places I have worked.

When a CVE is announced, we know immediately if we are impacted and what will need to be fixed.

Some places have no idea what their dependencies are. I am sure there are lots of log4j horror stories from Java shops that were not so careful.