[crote]

You're still getting DDoSed. If you only accept PRs from pre-vetted people you'll inevitably be left with zero contributors: people naturally leave over time, so in order to maintain a healthy ecosystem you need to accept some newcomers.

Don't throw the baby out with the bathwater.

[mnau]

There is no healthy ecosystem. Most packages are one or two contributors. And have been for forever. Granted, it's Nuget, where MS is the giant that overshadows everything, but I have read a lot of about this and it's same everywhere.

https://opensourcesecurity.io/2025/08-oss-one-person/