diff --git a/otel-extensions/build.gradle.kts b/otel-extensions/build.gradle.kts
index 813c0099c..b6f17348c 100644
--- a/otel-extensions/build.gradle.kts
+++ b/otel-extensions/build.gradle.kts
@@ -46,6 +46,10 @@ dependencies {
     api("com.google.protobuf:protobuf-java-util")
     // convert yaml to json, since java protobuf impl supports only json
     implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.11.3")
+    // fix vulnerability
+    constraints {
+        api("com.google.code.gson:gson:2.8.9")
+    }
 
     testImplementation("io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:${versions["opentelemetry"]}-alpha")
     testImplementation("io.opentelemetry:opentelemetry-sdk:${versions["opentelemetry"]}")
diff --git a/shaded-protobuf-java-util/build.gradle.kts b/shaded-protobuf-java-util/build.gradle.kts
index 282bf049d..2c7617f91 100644
--- a/shaded-protobuf-java-util/build.gradle.kts
+++ b/shaded-protobuf-java-util/build.gradle.kts
@@ -8,6 +8,10 @@ dependencies {
         exclude("com.google.protobuf", "protobuf-java")
         exclude("com.google.guava", "guava")
     }
+    // fix vulnerability
+    constraints {
+        implementation("com.google.code.gson:gson:2.8.9")
+    }
 }
 
 tasks.shadowJar {
diff --git a/testing-bootstrap/build.gradle.kts b/testing-bootstrap/build.gradle.kts
index 166c1ed63..11feaec4b 100644
--- a/testing-bootstrap/build.gradle.kts
+++ b/testing-bootstrap/build.gradle.kts
@@ -16,7 +16,7 @@ dependencies {
     implementation(project(":javaagent-core"))
     implementation(project(":filter-api"))
 
-    implementation("ch.qos.logback:logback-classic:1.2.3")
+    implementation("ch.qos.logback:logback-classic:1.2.7")
     implementation("org.slf4j:slf4j-api:${versions["slf4j"]}")
 }