I was wondering how the updates for some of the apache commons libraries work in regards to the vulnerabilities of dependencies of a library (in this case, commons-validator).
Is it possible to create a pull request with only upgrades of dependencies of a library? For instance, in the commons-validator library, there are some dependencies which contains vulnerabilities such as jUnit. Is a pull request to upgrade jUnit from 4.13 to 4.13.2 valid? Another different example would be the commons-digester library which, from what I've seen, has the 3.3-SNAPSHOT version on it's master branch which contains some upgrades to those vulnerable dependencies, but it hasn't been released yet. Is there a release cycle or release date planned for these changes?
