It looks like there's been a couple of CVE fixes in dependencies that we might want to have! See AVRO-3656, and perhaps AVRO-3658 (not yet merged, bumping to jackson 2.13, which might have breaking changes).
We've been cherry-picking pretty nicely so the branch is in a pretty good state, with just a few Unresolved issues (mostly with existing PRs that need some committer attention!) that have been marked for 1.11.2 What do you think? Ryan [1] https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
