Blacklist modules
Giving the most recent critical security vulnerability detected, https://www.drupal.org/sa-core-2023-006, a question arose regarding the possibility to backlist a module, until a patch is applied.
After investigation, it appears out of the box, this feature is not possible, however there's a module which provides said functionality.
I propose we add to our distribution https://www.drupal.org/project/module_blacklist. The module allows site administrators to block certain module from being installed, based on a blacklist set on settings.php file.
In this case simply adding the mentioned module, results in blocking fresh installations of said module.
$settings['module_blacklist'] = [
'jsonapi',
];
It does not block already installed modules, which can be discussed further.
Related to this topic, the following module, can be particularly interesting for websites still in PHP 7, and to Drupal 10 beyond EOL: