Hello all, I'd like to propose adding Dependabot to our commit process. If you aren't familiar with Dependabot, it scans dependencies and alerts you to dependencies that have vulnerabilities. I ran dependabot on Drill's source, and found several rather serious CVEs associated with dependencies, hence the PRs to update Guava, JUnit, and a few others.
I know that these automated code quality tests aren't always the best in terms of producing false positives, but I do think it is in general a good thing to at least be aware of these kinds of issues so that we can resolve them if they are deemed worthy. So... I'd like to call a vote. Would you like to add dependabot to Drill's github repo? Please vote yes or no by Thursday. Thanks and Keep on Drilling! -- C
