increasing the (social) pressure on maintainers to get PRs merged seems like the last thing you should be doing in light of preventing malicious code ending up in dependencies like this

i'd much rather see a million open PRs than a single malicious PR sneak through due to lack of thorough review.

Not really the time for that. There's also PRs being merged every hour of the day.