Hi folks, as you know Druid has a lot of dependencies, and keeping up with the latest versions of everything, whether it relates to fixing CVEs or other improvements is a lot of manual work.
I suggest we enable Github's dependabot in our repository to keep our dependencies up to date. The bot is also helpful in providing a short commit log summary to understand changes. This might yield a flurry of PRs initially, but we can configure it to exclude libraries or version ranges that we know are unsafe for us to upgrade to. It looks like some other ASF repos have this enabled already (see https://github.com/apache/commons-imaging/pull/126), so hopefully this only requires filing an INFRA ticket. Happy to take care of it if folks are on board. Thanks! Xavier
