Update (because readers clicking “like” have pushed this thread back into the recent activity feed):
Pull request #3562—which at the moment has passed tests but not yet been merged—aims to throw a warning whenever such an indirect dependency is imported.