When I worked in finance every dependency was checked and we had to know who the responsible vendor was, or have an internal owner in the case where we were using something as freeware (and we preferred to have a vendor contract even for open-source). We didn't dig much deeper than "who is it and what's their reputation", but we absolutely had a record of where each dependency was from and a name on the list.
We treated transitive dependencies the same as any other dependencies (i.e. they had to have an owner and be audited etc.). We didn't audit our suppliers' build toolchains or vendored dependencies, but would've considered them responsible if something malicious came in that way.
