as mentioned by others all versions must stay available once they have been published. it’s the same as with git: you don’t ever force-push to a published branch.
for security issues i’d expect a CVE (see also the Become a Mitre CNA thread).
in enterprise-y environments various scanning tools (SNYK, GitHub dependabot, twistlock, etc.) are being used which start issuing warnings/errors when they find artifacts with known issues (e.g. they’ll complain about the OpenSearch docker image / .tar.gz / … if there’s a CVE for it).