Addressing security vulnerabilities in the Temporalio/server release v1.27.2

[thle40]

Expected Behavior

No more CVEs found

Actual Behavior

There are some CVEs found from the latest Temporal image: temporalio/server:1.27.2

Steps to Reproduce the Problem

Pull the latest image temporalio/server:1.27.2 from Dockerhub Scan the image with any vulnerability scanner

CVE	SEVERITY	CVSS	PACKAGE	VERSION	FIX IN
CVE-2025-30204	high	7.50	github.com/golang-jwt/jwt/v4	v4.5.1	4.5.2
CVE-2025-30204	high	7.50	github.com/golang-jwt/jwt	v3.2.2	open
CVE-2024-2689	medium	4.40	go.temporal.io/server	v1.18.1-0.20230217005328-b313b7f58641	1.20.5, 1.21.6, 1.22.7
CVE-2023-3485	low	3.00	go.temporal.io/server	v1.18.1-0.20230217005328-b313b7f58641	1.20.0
CVE-2025-31498	low	0.00	c-ares	1.34.3-r0	1.34.5-r0
CVE-2025-22870(https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTPHTTPPROXY-9058601)	HIGH	8.8	golang.org/x/net/http/httpproxy	v0.34.0	0.36.0
CVE-2025-22868 (https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594)	HIGH	8.7	golang.org/x/oauth2/jws	v0.25.0	0.27.0
CVE-2025-27144, GHSA-c6gw-w398-hv78	MEDIUM	6.9	github.com/go-jose/go-jose/v4	v4.0.4	4.0.5
CVE-2024-44337	MEDIUM	6.9	github.com/gomarkdown/markdown/parser	v0.0.0-20241105142532-d03b89096d81	N/A
CVE-2024-51744, GHSA-29wx-vh33-7x7r	LOW	2.3	github.com/golang-jwt/jwt	v3.2.2+incompatible	N/A
CVE-2023-47108	MEDIUM	7.5	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpcv0.36.4	0.46.0

[jeffvc]

Is an upgrade planned for temporal to address these CVEs? Mend in particular is showing go-jose - which is on v2, should be on v4, as v2 is no longer supported.