What if there are failures at this stage do we have to go back to release review or should this step be before release review?
No, release review doesn’t require having all dependencies updated. It has to be done once and before releasing artifacts to Maven Central. It’s allowed to make changes after release review is passed. Wayne can explain it better than
The EDP states that "The purposes of a release review are: to summarize the accomplishments of the release, to verify that the IP Policy has been followed and all approvals have been received, to highlight any remaining quality and/or architectural issues, and to verify that the project is continuing to operate according to the principles and purposes of Eclipse."
In effect, the Release Review is concerned (mostly) with ensuring that processes are being correctly followed (I can expand on this if there's interest). We use a Release Review to confirm that the project is following the IP Due Diligence Process by checking their IP Log. There is no requirement to lock down development while we engage in a Release Review or for any time after. It's generally expected that no new features are added or otherwise significant changes are made to the release version after the review, but it's completely normal for bugfixes to be applied. Many project teams will include some "quiet" period during their ramp down plan, but's separate from the review.
A Release Review can, however, theoretically fail. Theoretically, it's good practice to set them up some amount of time before you plan to actually release so that there's some room to mitigate issues. In practice, however, I don't recall a Release Review ever failing (we set them up to succeed) and so we tend to schedule reviews very close to the planned release date. The issues that we do discover tend to be relatively easy to mitigate (e.g. update CONTRIBUTING files, etc.).
Wayne