What are your preferred methods for securing third-party open-source dependencies in a continuous integration pipeline?