I think that’s prudent.
What override would get them a potentially malicious update without spotting this themselves? If they rely on older versions they’re still protected by the hash, and if they deliberately upgrade to 1.3 they’re in the hands of upstream.