Contributing to address CVE issues and outdated dependencies.

[Walter Deane]

I was interested in becoming a contributor in order to address CVE vulnerabilities and outdated dependency versions in general. This is an attempt to reduce to security risk of the software. I currently use drools on a professional project and our security pipeline finds a lot of outstanding CVE's. I am also looking at contributing to the Keycloak project for similar reasons.

 I had a few questions about this.

1. Is there any appetite for this type of contribution.
2. How long does it take for contributions to the code take to be approved and make their way to the docker versions of the apps? I am assuming these changes would be considered uncontreversial.
3. Should each dependency update be a separate PR or would it be ok to combine some  into a single PR?
   
4. I haven't looked deeply at the code but is the test coverage adequate to catch issues from dependency upgrades?
   
5. What is the communities opinion of removing unused dependencies from the build through exclusion when they are brought in transitively? 
   

Thank you for any advice,

Walter Deane