Hey there.
Some dependencies listed in your report were updated for the (not being officially announced until tomorrow) v9.9 LTS, such as Hazelcast.
The docker image was made available this morning on DockerHub, so I suggest running any scans against that version.
Swapping in JARs is strictly unsupported – and we do run our own dependecy checks and evaluate whether or not a vulnerability may exist, like for the netty libraries embedded in Elasticsearch.
So any adjustments are done at your risk and haven’t been tested on our side.