It doesn't, but now both the original author and some number of independent reviewers have to do stupid things in order to cause harm. That's an improvement to the current situation where you mainly trust the author in most cases.
A review is only valid for a specific version/hash of a set of files, so if you only upgrade your dependencies once they have enough trusted reviews you should be safe.
A review is only valid for a specific version/hash of a set of files, so if you only upgrade your dependencies once they have enough trusted reviews you should be safe.