Yes, that is what is required. Every dependency needs an internal owner and reviewer. Every change needs to be reviewed and brought into the internal repository.

If no one is willing to stand up and say "yes this is safe and of acceptable quality", why use it?

It's a software engineering version of the professional engineering stamp.

I love the sibling response from @jp...

Also, IME we don't deep dive everything (should we?)

For most stuff we make sure the latest is not-shit and passed test cases. We do have ceremony around version bumps.