Well, it’s probably only enforced if you submit a new version; can’t really disable a top package just because the author hasn’t logged in in a while. browerify was last updated two years ago and probably won’t see a new release ever, so the requirement doesn’t actually matter.

Browserify had a PR merged on master in March for switching from non-ECMA String.substr to String.slice: https://github.com/browserify/browserify/pull/2036

Apparently it's too trivial for a release but the maintainers still seem to be around. Substack.net listed in package.json seems to be working: https://substack.net/cv.html