Projects depending on cowboy_plug get to those versions of the transitive dependencies anyway when upgrading.
Depending on how the project is approaching "pushing people to upgrade" to more secure versions of Cowboy, it might be an alternative to consider cutting a new version of plug_cowlib where mix.exs bumps the dependency to cowboy v2.12.0+
See https://ninenines.eu/articles/cowboy-2.12.0/
Projects depending on cowboy_plug get to those versions of the transitive dependencies anyway when upgrading.
Depending on how the project is approaching "pushing people to upgrade" to more secure versions of Cowboy, it might be an alternative to consider cutting a new version of
plug_cowlib
wheremix.exs
bumps the dependency to cowboy v2.12.0+