Hi, I found that sec:java-sec-code:1.0.0’s pom file introduced 199 dependencies. However, among them, 8 libraries (4% have not been used by your project), the redundant dependencies are listed below.

More seriously, 8 redundant libraries have not been maintained by developers for more than 3 years (outdated dependencies).

Reduce these unused dependencies can help prevent introducing bugs/vulnerabilities from dependencies with outdated. Meanwhile, it can minimize the project size. To safely remove redundant dependencies, I constructed a complete call graph (resolved most of Java reflection and dynamic binding), and validated that they have not been used by the client code.

This PR sec:java-sec-code:1.0.0 for removing the redundant dependencies have passed the tests.

Best regards

Redundant dependencies

Redundant indirect dependencies:

    net.bytebuddy:byte-buddy:1.8.12:compile [2 MB]
    com.google.errorprone:error_prone_annotations:2.0.18:compile [11 KB]
    xml-apis:xml-apis:1.4.01:compile [215 KB]
    com.google.j2objc:j2objc-annotations:1.1:compile [8 KB]
    org.codehaus.mojo:animal-sniffer-annotations:1.14:compile [3 KB]
    org.mapstruct:mapstruct:1.2.0.Final:compile [20 KB]
    com.ibm.icu:icu4j:4.6:compile [5 MB]
    com.google.code.findbugs:jsr305:1.3.9:compile [32 KB]

Outdated dependencies

xml-apis:xml-apis:1.4.01 (4260 days without maintenance)
org.codehaus.mojo:animal-sniffer-annotations:1.14 (2974 days without maintenance)
com.google.errorprone:error_prone_annotations:2.0.18 (2240 days without maintenance)
com.google.code.findbugs:jsr305:1.3.9 (4985 days without maintenance)
net.bytebuddy:byte-buddy:1.8.12 (1789 days without maintenance)
org.mapstruct:mapstruct:1.2.0.Final (2009 days without maintenance)
com.ibm.icu:icu4j:4.6 (4520 days without maintenance)
com.google.j2objc:j2objc-annotations:1.1 (2281 days without maintenance)