This is not exactly an obscure scenario. If I was a better I would bet >10:1 odds they had already thought through this scenario and dismissed it for whatever reason (maybe equating it with having an irresponsible or malicious package author), i.e. reporting it wouldn't have done anything.

True, but we don't know for sure. If we're making guesses, I'd guess that someone made the decision about username re-use years ago-- before package management systems began relying on GitHub directly. If that is the case, then this issue could not have even been considered.

The choice of where to ... the response is a little editorialized.

I don't make a lot of comments on HN, so I could use some constructive criticism on how to improve. My intent was to highlight content relevant to my point. Any suggestions on how I could do this better (maybe better formatting)?