Could co.yixiang:yshop-mproot:2.3 drop off redundant dependencies?

[slimming-fat]

Hi, I found that co.yixiang:yshop-mproot:2.3’s pom file introduced 191 dependencies. However, among them, 17 libraries (9% have not been used by your project), the redundant dependencies are listed below.

More seriously, 2 redundant dependencies contain security vulnerabilities (vulnerable libraries).

9 redundant libraries have not been maintained by developers for more than 3 years（outdated dependencies）.

Reduce these unused dependencies can help prevent introducing bugs/vulnerabilities from dependencies with security vulnerabilities and outdated. Meanwhile, it can minimize the project size. To safely remove redundant dependencies, I constructed a complete call graph (resolved most of Java reflection and dynamic binding), and validated that they have not been used by the client code.

This PR co.yixiang:yshop-mproot:2.3 for removing the redundant dependencies have passed the tests.

Best regards

Redundant dependencies

Redundant indirect dependencies:

    org.jetbrains:annotations:13.0:compile [17 KB]
    org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.21:compile [23 KB]

Redundant direct dependencies inherited from parent pom:

    com.github.whvcse:easy-captcha:1.6.2:compile [339 KB]
    javax.xml.bind:jaxb-api:2.3.0:compile [122 KB]
    org.projectlombok:lombok:1.18.24:compile [1 MB]
    javax.inject:javax.inject:1:compile [2 KB]
    eu.bitwalker:UserAgentUtils:1.21:compile [45 KB]

Redundant indirect dependencies inherited from parent pom:

    com.yomahub:tlog-forest:1.4.1:compile [3 KB]
    com.github.virtuald:curvesapi:1.06:compile [109 KB]
    com.yomahub:tlog-task:1.4.1:compile [4 KB]
    net.bytebuddy:byte-buddy:1.12.20:compile [3 MB]
    com.yomahub:tlog-spring-boot-configuration:1.4.1:compile [9 KB]
    commons-lang:commons-lang:2.4:compile [255 KB]
    com.yomahub:tlog-okhttp:1.4.1:compile [3 KB]
    io.github.classgraph:classgraph:4.8.83:compile [492 KB]
    dom4j:dom4j:1.6.1:compile [306 KB]
    cn.hutool:hutool-core:5.7.16:compile [1 MB]

Vulnerable libraries

cn.hutool:hutool-core:5.7.16(CVE-2022-4565)
dom4j:dom4j:1.6.1(CVE-2020-10683)

Outdated dependencies

com.alibaba:QLExpress:3.2.0(1921 days without maintenance)
commons-lang:commons-lang:2.4(5499 days without maintenance)
javax.inject:javax.inject:1(4925 days without maintenance)
com.github.virtuald:curvesapi:1.06(1855 days without maintenance)
javax.xml.bind:jaxb-api:2.3.0(2078 days without maintenance)
eu.bitwalker:UserAgentUtils:1.21(1901 days without maintenance)
com.github.whvcse:easy-captcha:1.6.2(1321 days without maintenance)
org.jetbrains:annotations:13.0(3400 days without maintenance)
dom4j:dom4j:1.6.1(6267 days without maintenance)