Customer report: The latest version of durable task package available i.e. 1.4.0 contains these CVEs due to older version of protobuf and google guava dependency present in it. Here are the related CVEs : CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2023-2976.

There are a few more CVEs can be found at https://mvnrepository.com/artifact/com.microsoft/durabletask-client/1.4.0