They could migrate deleted ones to "Trashcan", a new npm repo where you could go to find something that may have been inadvertently swept out with the real garbage. Then you could appeal somehow to have those packages readmitted to the main repo?
The eternal flaw of NPM (and Cargo, and PyPI and so on) is that they allow namesquatting at all. It should be that you can only publish into your own user's namespace. So if I upload the "foobar" library to NPM, it can be imported as "user/majewsky/foobar" or something. And if you upload one with the same name, it would be under "user/hughw/foobar". The review barrier would be to obtain an alias into the main namespace: If I wanted to have my library be just "foobar", I would have to apply for my own library to be aliased to that name. And then there could have to be some sort of notability requirement for those "nice" names.
