Curious what happens in the context of a security flaw becoming known with a queue, especially with the whole dependency tree in play. Do we now wait for the fix to come through the queue? Or it gets an exception? Do packages that embed the flawed library have to wait for the fix to merge (through whatever path) before they can depend on it? Or does the exception cascade out to the entire ecosystem that depends on the flawed package?