Hey Livyers - I've filed LIVY-900 to gather ideas for getting dependency management for CVEs added to the Livy project. I added a couple thoughts in the description but I'm sure there are other tools and automation that we may be able to leverage.
Since we called this out as an initial goal for the 0.8.0 release, I'd like to get something in place in terms of process (even if manual scans are required). I'd also propose that we make progress on the Critical and High CVEs that are outstanding due to dependencies in the current repo. Ideally, we would remove them all. Please comment with your thoughts on dependabot and/or other tooling that we may have available so that we can gather them in the JIRA. You can comment here or on the JIRA at https://issues.apache.org/jira/browse/LIVY-900 Thoughts? --larry
