How do you protect yourself from supply chain attacks?

The last twelve months have been brutal for npm and PyPI. Shai-Hulud and its variants. The May 11 campaign that hit TanStack, Mistral AI, UiPath, and OpenSearch on both registries in the same wave. Bitwarden CLI. Axios. Lightning. Trivy ended up in CISA's KEV catalog. Glassworm.
Every one of those incidents triggered the same news cycle: "developers should be more careful." But "be careful" isn't a process. And most of the textbook advice (pin versions, review dependencies, audit lockfiles, use SBOMs) is either ignored under deadline pressure or quietly skipped because it doesn't scale to the rate at which install commands actually run.
So I want to hear what people are really doing.
— Do you read package source before installing anything new? Honestly?
— Do you pin every version, or accept caret ranges and hope?
— Do you run `npm audit` / `pip-audit` and act on the output, or scroll past it?
— Have you actually disabled install scripts (`npm config set ignore-scripts true`, yarn's `enableScripts: false`)? If yes, what broke?
— Anyone using lockfile-only installs (`npm ci`, `pip install -r requirements.txt --require-hashes`) consistently in dev, not just CI?
— Are you running a scanner (Socket, Snyk, Aikido, GitHub Advanced Security, something else)? Does it catch things, or mostly just generate noise?
— What's the policy at your company versus what you actually do on your own machine?

I'm asking because I am launching Veln tomorrow — it's a local proxy that scores npm and pip packages and blocks the bad ones before they download. But I built it from my own habits, which is a sample size of one. The more honestly people answer the question above, the better the tool gets. No wrong answers. "I do basically nothing and hope" is a real and common answer.