Consider removal of Guava from java-json-tools repos
Opened this issue · 5 comments
Spurred by @soberich in pr #3 and @trajano in fge/uri-template#4:
- Guava is heavyweight for small web apps.
- Guava does deprecate and remove classes/methods/enums/etc., and this limits the ability of clients of these libraries to use a more modern Guava unless we keep up.
- A CVE in Guava has been a forcing function to use a more modern Guava.
- Guava itself may force upon this project minimum JDK standards.
Guava is currently used in this repo, in https://github.com/java-json-tools/json-schema-core, and in https://github.com/fge/uri-template, which is a dependency of -core. Not sure if we should consider them separately or not, but -core cannot be rid of a transitive Guava dependency without all of them being rid of Guava.
/cc @huggsboson
I have created a v1.x branch for jackson-coreutils to track any maintenance fixes we need, as #42 requires us bumping the major version number.
See also java-json-tools/json-patch#18
So, I'm about to release a jackson-coreutils v2.0 w/o Guava. That will allow a follow-on update of json-patch also w/o Guava.
That said, uri-template still has Guava in it, and fge/uri-template#5 creating local Guava copies of certain files isn't something I'm particularly interested in accepting. Furthermore, json-schema-core also still has lots of tendrils, so this isn't a solution for those of you wanting json-schema-validator to be Guava-free.
* Guava does deprecate and remove classes/methods/enums/etc., and this limits the ability of clients of these libraries to use a more modern Guava _unless_ we keep up.
Just to say: since v21, Guava has vowed to avoid removing non-Beta APIs (unless absolutely forced to for security reasons):
https://github.com/google/guava/wiki/PhilosophyExplained#non-beta-apis