Hi, i had already downloaded log4j-core with the "bad" version. I would have expected this to be an immediate action but as you described it is tied to a scheduled job triggered by vulnerability update. Looking at the feed and packages today shows me that the auto assessment of all the downloaded packages was done overnight. But does this mean the auto-blocking will never work the first time a package is downloaded? The auto blocking will always only kick in after the next vulnerability update ?? I hope that logic does not apply to the malicious package blocking as well...