Might be the case that the developer in question - or a predecessor, whose history set precedent in the company - had indeed argued for a privately maintained repository, or to verify dependency hashes and whatnot, but was dealt with managerial resolution.

