We should probably do an automated system for the future more open namespaced metadata, but even version bumps within the "curated" subset should require at least minimal human review as a sanity check against obviously broken or malicious code.
(and are submitted by someone with commit access to the package's repository)