Source: sui/package-upgrades.md at 25678de7f57438f7b9a6af8f908e3051d1505205 · MystenLabs/sui · GitHub
As alluded to previously, all packages on the Sui network are immutable. Because of this fact, you cannot delete old packages from the chain. As a result, there is nothing that prevents other packages from accessing the methods and types defined in the old versions of your upgraded packages. By default, users can choose to keep using the old version of a package, as well. As a package developer, you must be aware of and account for this possibility.
Now, considering the scenario where a “Black Hat” hacker identifies a vulnerability, it is important to note that, from a technological standpoint, directly patching the vulnerability within the existing version is not possible. Instead, the solution lies in releasing a new version that avoids the identified vulnerability. Essentially, this means that the vulnerability itself cannot be fixed within the current version but requires an update to mitigate it. And even if there is an update, the “hole” is still there. Please help me clarify this issue?