[isoos]

> This problem is likely common to every public registry.

Not necessarily, it depends on what kind of authentication you are using. For example a Google account has a unique OAuth ID, and if your GSuite/Workplace/whatever account expires, and you recreate it again (regardless of the domain expiry/transfer in-between), the OAuth flow will present a new ID alongside the email address.

Dart/Flutter's package manager pub.dev uses Google accounts as authentication and has this extra OAuth ID check to prevent hostile ownership takeovers.

Disclaimer: I'm contributor to pub.dev

[raesene9]

Interesting. Out of curiousity, is there a flow for if a package author gets permanently locked out of their google account? There have been cases of people losing access to their entire google account due to ToS breaches on one site (e.g. Youtube).

The safest option here would be to create an orphan package, but that has some usuability concerns (will people realise it's orphaned and update accordingly)