I've just filed issues with npm and uv (edit: and pip) proposing that if their dependency-cooldown options are unset they should default to seven days. No safety measure is perfect but sensible defaults can hopefully improve the situation.
FWIW I don't think we're doomed but I do think that all package managers and the ecosystems around them could be made much safer and more robust with a modest set of safe defaults. Defaulting to 7 day cooldowns, and this problem barely exists. If human intervention is required if deps/postinstall scripts change? With that defaulted to on this problem doesn't exist at all.
This is clean running water and washing our hands with soap territory, it's the fundamentals.
If you have a fediverse account, you can quote this note from your own instance. Search https://cosocial.ca/users/mhoye/statuses/116179098165621963 on your instance and quote it. (Note that quoting is not supported in Mastodon.)