Could com.ibm.eventstreams.connect:kafka-connect-mq-source:1.3.1 drop off redundant dependencies?

[Celebrate-future]

Hi! I found the pom file of project com.ibm.eventstreams.connect:kafka-connect-mq-source:1.3.1 introduced 14 dependencies. However, among them, 6 libraries (42%) are not used by your project. I list the redundant dependencies below (labelled as red ones in the figure):

Redundant dependencies

org.json:json:jar:20080701:compile log4j:log4j:jar:1.2.17:test org.slf4j:slf4j-log4j12:jar:1.7.25:test net.bytebuddy:byte-buddy-agent:jar:1.9.10:test org.bouncycastle:bcprov-jdk15on:jar:1.64:compile org.bouncycastle:bcpkix-jdk15on:jar:1.64:compile

Vulnerable libraries

log4j:log4j:1.2.17 (CVE-2022-23305)

Outdated dependencies

net.bytebuddy:byte-buddy-agent:1.9.10 (1629 days without maintenance) org.slf4j:slf4j-log4j12:1.7.25 (2326 days without maintenance) org.json:json:20080701 (5487 days without maintenance) log4j:log4j:1.2.17 (4082 days without maintenance)

---

Removing the redundant dependencies can reduce the size of project and prevent potential dependency conflict issues (i.e., multiple versions of the same library). More importantly, one of the redundant dependencies log4j:log4j:jar:1.2.17:test incorporates a critical-level vulnerability SNYK-JAVA-LOG4J-572732. As such, I suggest a refactoring operation for com.ibm.eventstreams.connect:kafka-connect-mq-source:1.3.1’s pom file.

The attached PR helps resolve the reported problem. It is safe to remove the unused libraries (we considered Java reflection relations when analyzing the dependencies). These changes have passed com.ibm.eventstreams.connect:kafka-connect-mq-source:1.3.1’s maven tests.

Best regards