Ban org.javassist:javassist

[ppalaga]

Describe the bug

Similar case as #26066

quarkus-scheduler depends on org.javassist:javassist but we do not manage it and so other platform participants may bring an incompatible version.

Hence we should start managing org.javassist:javassist.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[gsmet]

@ppalaga do you know what's bringing Javassist? Ideally we should get rid of it.

[ppalaga]

do you know what's bringing Javassist?

quarkus-scheduler via com.cronutils:cron-utils (not sure this is the only path)

Ideally we should get rid of it.

Why?

[gastaldi]

do you know what's bringing Javassist?

quarkus-scheduler via com.cronutils:cron-utils (not sure this is the only path)

FTR I opened jmrozanec/cron-utils#521 removing it as it doesn't seem to be used in the codebase

[gsmet]

@ppalaga we try to favor ByteBuddy if possible. Obviously if a dependency needs it, we have to comply, but it's worth having a look at what brings it.

[ppalaga]

Should I remove the javassist commit from #26069 ?

[gsmet]

If it's indeed not used by cron-utils, I would rather exclude it from there while waiting for @gastaldi 's PR to get in.

[ppalaga]

Ok, let me do it in #26069

[ppalaga]

javassist now banned in #26069

[gastaldi]

If it's indeed not used by cron-utils, I would rather exclude it from there while waiting for @gastaldi 's PR to get in.

FWIW cron-utils 9.1.7 is now out without the dependency on Javassist