Most repositories have some sort of vetting process as far as I'm aware. In the case of Zed, because it's open-source, it can be examined more completely, although I don't think it's expected for every update to be heavily scrutinized.

In the end, at some point you either have to inspect every line of code yourself or trust others to have done it for you. Package managers fall into the latter category.