Removed Guava (left in tests), bump Gradle and all deps. (this is 2nd part of https://github.com/java-json-tools/jackson-coreutils/pull/3)

[soberich]

Hi,
We really want to remove Guava as it is on of the largest deps in war though required by this dependency (and jackson-coreutils). This would ease the choice to depend or not on Guava.
Please kindly review.
N.B. NOW BOTH jackson-coreutils and json-patch could be left without Guava.
See java-json-tools/jackson-coreutils#3
No "optimizations" made. Just a plain migration with practically coping and pasting logic from Guava's methods (Guava is a great library but we just have a JAX-RS web-app and Guava is a too big contributor to classpath).

Overview.1. Removed Guava (left in tests)
2. Bump gradlew to 5.0 and adjust scripts for compatibility
3. Builds and tests run now on Java 6-11
4. Bump all versions to top available.
EDIT: @huggsboson @fge just to ping you guys.

[soberich]

CI failed due to version 1.10-(SNAPSHOT) of jackson-coreutils is not available in maven. I am sure that is clear. It may run fine with whatever version.

[soberich]

@huggsboson @fge hey guys, please, I see a lot of things simply hang on java-json-tools repos. Just to keep pace with things around maybe it's worth to transfer ownership / propose other solutions / accept pull-requests , something like that? So many projects transitively depend on this one and others, and it enforces some constraints which were fine for sometime, but time passes by and maybe it is worth to think about such things and take some action. (please take me correct and forgive it I have expressed myself in weird way, English is not Java, you know, no compile time checks))
I really appreciate a response.
Best Regards.

[mmannerm]

It would be really great if we can get Guava out from this library. https://nvd.nist.gov/vuln/detail/CVE-2018-10237

[soberich]

@mmannerm I have no idea why these repos are so dead.
https://github.com/java-json-tools/json-patch
https://github.com/java-json-tools/jackson-coreutils
https://github.com/json-path/JsonPath

completely dead.
Funny that thousands of projects use them.
Need some action.

[Capstan]

I've been fiddling today with json-patch to bring it into modernity, so if you are interested in pursuing this, we can do that. I'm going to release it at least once with modern Guava to avoid the CVEs.

[soberich]

@Capstan I have asked before, but didn't fully get the answer. The whole idea behind was to remove Guava completely from (as many as possible) projects as it is totally non-needed. I felt we are on the same page here simply because why not to remove the biggest unnecessary dependency when you easily can?? I see in many repos/discussions in recent time this slowly boiled down to [at least] updating Guava. Boiling this down to updating Guava neglect the point of work and discussion. The benefits are clear and I see not reason to go conservative here. Can we get back and stick to "remove Guava" as the goal? Or maybe I interpreted incorrectly those comment/PRs by you?

[Capstan]

@soberich I answered previously at java-json-tools/jackson-coreutils#3 (comment): Where there are CVEs, the easiest route forward is to update the dependencies to avoid the CVEs, even if it maintains a dependency on Guava, especially since removing Guava is likely to break forward compatibility. Updating to a modern Guava to allow people to sync and be safe does not prohibit removing it in a follow-on commit.

[Capstan]

I've exploded these into individual imports for clarity.

[Capstan]

Rolled the above into #66