Update deps

[robotdan]

Update deps

Description

Update various dependencies.

• google-guice 5.1.0 to 6.0.0
• google-guava 30.1.0 to 32.1.2
• java-http 0.2.0 to 0.2.9
• kafka-clients 2.8.2 to 3.6.0
• prime-mvc 4.11.0 to 4.17.1
• snappy-java 1.1.8.1 to 1.1.10.4

List the versions here once we know what they are.

Related CVEs

Review available list of CVEs related to 3rd party deps, while not necessarily vulnerable, updating these deps will remove the CVEs from scanners.

• CVE-2023-2976 (google-guava, via google-guice)
• CVE-2023-34453 (snappy-java, via kafka-clients)
• CVE-2023-34454 (snappy-java, via kafka-clients)
• CVE-2023-34455 (snappy-java, via kafka-clients)

FusionAuth has no known vulnerabilities related to the above mentioned CVEs.

Tasks

• Final review for dependency changes (scan class path, docker image, etc)
• Complete description for any dependency changes to and from version

Related

• Upgrade Java 17 #2386

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Release Notes

Update 3rd party dependencies to remove CVE scan warnings. No known exploits are vulnerabilities exist in FusionAuth as the result of using these 3rd party clients. These upgrades are simply a precautionary measure to stay current.
** Upgrade google-guice 5.1.0 to 6.0.0
** Upgrade google-guava 30.1.0 to 32.1.2
** Upgrade java-http 0.2.0 to 0.2.9
** Upgrade kafka-clients 2.8.2 to 3.6.0
** Upgrade prime-mvc 4.11.0 to 4.17.1
** Upgrade snappy-java 1.1.8.1 to 1.1.10.4

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/294
• https://github.com/FusionAuth/fusionauth-app/commit/51b6319cbbf4bc6689e744e6c75ddafb3bf05c78

[robotdan]

We could optionally upgrade to Guice 7 I think now that MyBatis has been updated. But we'd need to test to see if there are any other libraries that still have not moved to jarkarta.
mybatis/guice#576