force a transitive dependency version in golang

I have a question about dependencies in golang. My application defines a go.mod like this:

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

go 1.14

The dependency relationship is：

1. ext1.com/module1 v0.0.1 depends on ext3.com/module3 v0.0.3

A security scan detects ext3.com/module3 v0.0.3 is insecure and must be updated to v0.0.4.

Is there a way to "force" myapp to get only module3 v0.0.4, overriding the directives defined in module1 v0.0.1 go.mod?

1. Let's say ext1.com/module1 v0.0.1 is already at the latest version, so upgrading it doesn't work.

Would "replace" work?

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

replace ext3.com/module3 v0.0.3 => ext3.com/module3 v0.0.4

go 1.14

Thanks in advance!