Add shaded libraries as dependencies to `-thin` jar

[futuro]

Is your feature request related to a problem? Please describe. org.yaml/snakeyaml keeps having CVEs found for it, which requires that we upgrade the shaded LD SDK even though we don't use the feature that needs snakeyaml, which is more work than we'd like.

We're switching to the thin jar, but it'd be nice not to have to explicitly add the internal dependencies to our project, and instead use exclusions to keep snakeyaml out.

Describe the solution you'd like I'd like the thin jar to declare the internal libraries as dependencies, so I can explicitly exclude snakeyaml without having to explicitly include the other libraries/versions, which may change in the future.

Describe alternatives you've considered Currently I've explicitly added the internal dependencies, as defined in the build.gradle file, to our project, but I suspect this will require more tricky coordination in the future when we need to upgrade the SDK again.

Additional context This is spurred on by our internal security requirements around handling CVEs.

[eli-darkly]

I understand the problem you're describing, and we have been considering dropping snakeyaml for that reason— but, I'm not sure I understand the particular solution you're proposing.

What would be the mechanism for declaring dependencies for the thin jar? As I understand it (and I apologize if I'm missing something obvious; we haven't used multi-jar publications for any purpose other than this SDK, not counting the standard inclusion of source/javadoc jars), Maven does not have a concept of dependencies for a secondary artifact, i.e. one that has a classifier as opposed to being the default jar. The dependencies declared in pom.xml are, by definition, for the primary artifact (the default jar).