Somebody in the thread suggested treating ownership changes as a major version bump. That seems worth exploring, although my gut feeling is that the only way it'd really work well is to make it part of the semver standard and have the registry automatically bump and republish on any addition to the collaborator/publisher list.
Yeah but then a smart attacker would just release an innocuous major version and then slip in the malware in the next minor one.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.