I made some comments on https://issues.apache.org/jira/browse/CALCITE-5379 about upgrading dependency libraries in order to fix CVEs. What I said is just my opinion, but it might be construed as policy, so others should chime in if they have opinions.
Julian