> Even in that case, my suggestion would be that we just run it in our own CI and block package release.

I agree.

> open source security scanner that runs on all Homebrew packages and requires a cooldown.

I think that is where all this is going in the longterm.

Until then, any upstream shenanigans are more likely to surface in hours 0-48 after a new release than hours 0-4.