Major Description
I ran a commercial known vulnerable library analysis tool on PIG and it flagged numerous direct and transitive dependencies as having known vulnerabilities.
I'd be happy to share the list offline if anyone is interested in the list/willing to work on upgrading them. If interested, contact me at: dave.wichers@owasp.org.
If it is not doing so already, the project might also want to start using OWASP Dependency Check or https://ossindex.net/ to automate this type of analysis so its easier for the project to try to keep up to date as new CVEs in libraries are uncovered.