Vulnerabilities. Known vs. Actual risk.
A new vulnerability is discovered in an open source package used in your codebase. Should you block the codebase from being released until the vulnerability is fixed ? Instinctually you may argue it should be blocked, but I suspect for the wrong reasons. I suspect you want to block the release