A yanked release is a package version that a registry or maintainer marks as discouraged for normal use. It is usually kept in the index for traceability, but dependency tools should avoid selecting it unless a project explicitly pins that exact version. A release may be yanked because it is broken, unsafe, or suspected to be compromised.
In cyber security, yanking is a fast containment measure for supply-chain risk. If a malicious or faulty package reaches a public registry, yanking helps stop new installations while review and cleanup happen. It is not a full fix: software already pinned to the version may still install it, and builds that cached the artifact may continue to use it. Defenders should check lockfiles, build logs, and dependency manifests for yanked versions, then rotate secrets or rebuild systems if the package may have executed.



