Vulnerability detected by Snyk in Go SDK

Community Support
1

My company is just starting with Temporal, so we have very little experience so far. This is also the first time we are developing in Go. We are using the latest version of the SDK - v1.25.0.

As part of our deploy process, we have to scan our code using the Snyk Vulnerability Scanner tool. This has worked fine up until now. However, there were two vulnerabilities identified in dependencies to the Go SDK. Denial of Service (DoS) in golang.org/x/net/http2 | CVE-2023-44487 | Snyk and Denial of Service (DoS) in google.golang.org/grpc | CVE-2023-44487 | Snyk. This is preventing us from being able to deploy any changes.

✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: go.temporal.io/sdk/activity@1.25.0, go.temporal.io/sdk/client@1.25.0, go.temporal.io/sdk/workflow@1.25.0, go.temporal.io/sdk/worker@1.25.0
  From: go.temporal.io/sdk/activity@1.25.0 > go.temporal.io/sdk/internal@1.25.0 > google.golang.org/grpc@1.57.0
  From: go.temporal.io/sdk/client@1.25.0 > go.temporal.io/sdk/internal@1.25.0 > google.golang.org/grpc@1.57.0
  From: go.temporal.io/sdk/activity@1.25.0 > go.temporal.io/sdk/internal/common/metrics@1.25.0 > google.golang.org/grpc@1.57.0
  and 37 more...
  Fixed in: 1.56.3, 1.57.1, 1.58.3

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
  Introduced through: go.temporal.io/sdk/activity@1.25.0, go.temporal.io/sdk/client@1.25.0, go.temporal.io/sdk/workflow@1.25.0, go.temporal.io/sdk/worker@1.25.0
  From: go.temporal.io/sdk/activity@1.25.0 > go.temporal.io/sdk/internal/common/metrics@1.25.0 > google.golang.org/grpc@1.57.0 > google.golang.org/grpc/internal/transport@1.57.0 > golang.org/x/net/http2@0.14.0
  From: go.temporal.io/sdk/client@1.25.0 > go.temporal.io/sdk/internal/common/metrics@1.25.0 > google.golang.org/grpc@1.57.0 > google.golang.org/grpc/internal/transport@1.57.0 > golang.org/x/net/http2@0.14.0
  From: go.temporal.io/sdk/workflow@1.25.0 > go.temporal.io/sdk/temporal@1.25.0 > go.temporal.io/sdk/internal@1.25.0 > google.golang.org/grpc/health/grpc_health_v1@1.57.0 > google.golang.org/grpc@1.57.0 > google.golang.org/grpc/internal/transport@1.57.0 > golang.org/x/net/http2@0.14.0
  and 1 more...
  Fixed in: 0.17.0

Does anyone else use Snyk, and are there any know workarounds that would allow us to use a fixed version of the dependencies? Thanks for any assistance you can provide.