We treated transitive dependencies the same as any other dependencies (i.e. they had to have an owner and be audited etc.). We didn't audit our suppliers' build toolchains or vendored dependencies, but would've considered them responsible if something malicious came in that way.