The dependencies are bundled, so they cannot be patched outside of recompiling.
Furthermore, the dependencies are currently managed manually (e.g. versus Maven or Ivy) so there's no quick way to PR this yet.
With regards to (I presume CVE-2023-44487) this is probably throwing 7.5 (HIGH) on reports, but actually severity must be weighed against exposure. For example, environments using a centralized QZ Tray print-server would be higher risk. Environments allowing WAN access even moreso.
Regardless, the two best ways to track this are to email
sup...@qz.io (Premium clients) or open a GitHub bug report. The latch will be available in QZ Tray 2.2.4, but the release date for this release is currently undecided.