++ overall, but:

"I think you can delete from CPAN but seems a bit too much."

Please don't delete distributions from the CPAN, *especially* when in a deprecation cycle.

There are very valid reasons why someone might need to come back and fetch your last version released. For example, someone could have an enormous corporate installation of software that requires it. If that one distribution disappears, the whole thing will fall apart.

Loud warnings within the distribution as per what you and haj already stated, the deprecation flag, and honestly, if it's a major security thing, I might go as far as putting a warn "SECURITY ISSUE: This dist is deprecated; See docs for details\n"; within an instantiation method, or frequently used function.

Thankfully, I've never had to go this far as I've never been made aware of security issues in my software (yet!), but I certainly have deprecated distributions before. They sit on the CPAN collecting dust, with the relevant notices in the POD.

See the DESCRIPTION in RPi::WiringPi::Constant for example.

If I ever were to have a distribution that I had to absolutely ensure didn't get installed after deprecation period (typically I've heard and would adhere to a two-year cycle), I might add a croak() to the code, with the warning pointing to a URL or something. This ensures previous code still works, but new installs would fail. Generally, this would happen if my dist is being used by someone elses software, and I'd be notified eventually.

Worst case scenario, if you need to go extreme like croak()ing because of security or other issues, I'd do a reverse dependency lookup, see who's using my bad dist, and attempt to contact them directly before taking significant action.