You aren't giving control to unknown people here. You are giving it to good contributors who you have added personally. We can still have a system where core contributors can vote on someone accepting the request or author can disable this feature.

How many people vet the author before installing something from npm? If you trust someone because they have some code that looks good, then shouldn't you trust contributors who have good code in there too.

How many points of cracks are there in the dependencies of dependency?

If it's a widely used tool then author wouldn't go inactive for a year without doing something unless they are not getting paid or even acknowledged for their efforts.

If people like security, then pin and mirror your dependencies. Don't update without checking them.

My point was that the maintainer shouldn’t give up maintenance unless they trust the new maintainer, so we agree. (I did misread your original post, but I think it can’t be just any contributor)