Akka Persistence Updates to address CVEs

I’m using the release 1.0.5 of Akka Persistence Cassandra and Slick 3.3.3. There’s dependencies that are flagged with high vulnerabilities for these releases. The following dependent jars contain high vulnerabilities:
akka persistence cassandra → io.netty:netty-codec:jar:4.1.52.Final
slick → com.zaxxer:HikariCP:jar:3.2.0
:
Are there plans to address this?

The following are maven dependency tree traces to illustrate the dependency graph.

[INFO] ± com.typesafe.akka:akka-persistence-cassandra_2.13:jar:1.0.5:compile
[INFO] | - com.lightbend.akka:akka-stream-alpakka-cassandra_2.13:jar:2.0.2:compile
[INFO] | ± com.datastax.oss:java-driver-core:jar:4.6.1:compile
[INFO] | | ± com.datastax.oss:native-protocol:jar:1.4.10:compile
[INFO] | | ± com.datastax.oss:java-driver-shaded-guava:jar:25.1-jre:compile
[INFO] | | ± com.github.jnr:jnr-posix:jar:3.0.50:compile
[INFO] | | ± org.javatuples:javatuples:jar:1.2:compile
[INFO] | | ± io.dropwizard.metrics:metrics-core:jar:4.0.5:compile
[INFO] | | ± org.hdrhistogram:HdrHistogram:jar:2.1.11:compile
[INFO] | | - com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] | - io.netty:netty-handler:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-common:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-resolver:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-buffer:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-transport:jar:4.1.52.Final:compile
[INFO] | - io.netty:netty-codec:jar:4.1.52.Final:compile

[INFO] ± com.typesafe.slick:slick-hikaricp_2.13:jar:3.3.3:compile
[INFO] | - com.zaxxer:HikariCP:jar:3.2.0:compile

Thanks!

For what it’s worth, I’d open a support ticket. These are the kinds of things that really benefit from paid support. I could be wrong, but I doubt you are going to get comments/commitments from Lightbend about roadmap on a community forum. Especially around unresolved security issues.