Contributions to address CVE's and outdated dependencies

I was interested in becoming a contributor in order to address CVE vulnerabilities and outdated dependency versions in general. This is an attempt to reduce to security risk of the software. I currently use Keycloak on a professional project and our security pipeline finds a lot of outstanding CVE’s. I am also looking at contributing to the Drools project for similar reasons.

I had a few questions about this.

  1. Is there any appetite for this type of contribution.
  2. How long does it take for contributions to the code take to be approved and make their way to the docker versions of the apps? I am assuming these changes would be considered uncontreversial.
  3. Should each dependency update be a separate PR or would it be ok to combine some into a single PR?
  4. I haven’t looked deeply at the code but is the test coverage adequate to catch issues from dependency upgrades?
  5. What is the communities opinion of removing unused dependencies from the build through exclusion when they are brought in transitively?

Thank you for any advice,

Walter Deane

There is alway appetite for help. First, read this, keycloak/ at main · keycloak/keycloak · GitHub

Then, take a look at open issues here: Issues · keycloak/keycloak · GitHub

Looks like there is already one for a CVE review : Issues · keycloak/keycloak · GitHub

Finally, there is a dev mailing list, where a lot of the contributor discussion takes place: