I was interested in becoming a contributor in order to address CVE vulnerabilities and outdated dependency versions in general. This is an attempt to reduce to security risk of the software. I currently use Keycloak on a professional project and our security pipeline finds a lot of outstanding CVE’s. I am also looking at contributing to the Drools project for similar reasons.
I had a few questions about this.
- Is there any appetite for this type of contribution.
- How long does it take for contributions to the code take to be approved and make their way to the docker versions of the apps? I am assuming these changes would be considered uncontreversial.
- Should each dependency update be a separate PR or would it be ok to combine some into a single PR?
- I haven’t looked deeply at the code but is the test coverage adequate to catch issues from dependency upgrades?
- What is the communities opinion of removing unused dependencies from the build through exclusion when they are brought in transitively?
Thank you for any advice,
Walter Deane