From the f&q (https://hex.pm/docs/faq), it sounds like public published package can only be reverted or changed within 1 hour after publication.
But I made a test package and it can successfully publish a package with same version and different code after 1 hour. And I briefly look into the source code(https://github.com/hexpm/hexpm/blob/master/lib/hexpm/repository/releases.ex#L41). It looks like this is not enforced. I am not sure if this a bug or I misunderstand it.
In general, packages should be immutable for security reason right?