revert cassandra driver to 4.6.1

[pjfanning]

last OSS akka release (1.0.6) depended on cassandra driver v4.6.1

• https://mvnrepository.com/artifact/com.typesafe.akka/akka-persistence-cassandra_2.13/1.0.6
• inherits cassandra dependency transitively from https://mvnrepository.com/artifact/com.lightbend.akka/akka-stream-alpakka-cassandra_2.13/2.0.2
• the Pekko fork was made after some prep changes were made for the BSL release (including the upgrade of the cassandra driver)
• the new cassandra driver depends on a newer version of Jackson - and Jackson is a dependency we have in a lot of places so this makes things complicated in pekko-projection
• https://github.com/apache/incubator-pekko/issues/7#issuecomment-1484867603
• also needs a downgrade in https://github.com/apache/incubator-pekko-connectors/blob/main/project/Dependencies.scala

fyi @nvollmar @jrudolph @mdedetrich

I'm neutral enough - I can see some benefit to just simply updating Jackson to latest v2.12 or latest v2.14 - but this revert might be closer to our usual aim as to trying to closely match the last OSS Akka releases.

[mdedetrich]

I would prefer to update the Jackson dependency unless there is some very strong technical reason otherwise (aside from trying to make Pekko 1.0.x, as close to BSL Akka as possible).

We already made exceptions to this rule (i.e. close to BSL akka) before ergo pekko-http with upstream paradox if the reasons are strong enough and considering the historic problems with supporting older Jackson versions along with the related fact that we may get some CVE in the future.

[mdedetrich]

I also prefer to move forward with the version of the cassandra driver (compared to akka). We where already bitten by problems with the old driver and had to force override the cassandra-driver version to avoid problems.

Btw. with the latest cassandra driver there are also some CVE's https://docs.datastax.com/en/developer/java-driver/4.14/changelog/

Furthermore current CVEs on its own is already an accepted exception for the "close to Akka BSL version" rule.

[danischroeter]

I also prefer to move forward with the version of the cassandra driver (compared to akka). We where already bitten by problems with the old cassandra driver used by a-persistence-cassandra and had to force override the cassandra-driver version to avoid problems. Reverting pekko now will only make matters worse.

Btw. with the latest cassandra driver changelogs there are also some CVE's where they apparently upgraded jackson 2.12.2 to 2.13.2 ... :thinking: https://docs.datastax.com/en/developer/java-driver/4.14/changelog/ -> https://github.com/datastax/java-driver/commit/3b75607526f49c7f2dad08c5c31884d0dc6f4b84

[nvollmar]

We could also exclude the jackson dependency of the driver until we're ready to upgrade it across all projects.

As already mentioned, we have this version in production for a long time due to issues with the outdated versions Akka was having in use.

[pjfanning]

let's upgrade jackson - seems easiest and we've had users asking about a Jackson upgrade anyway due to some recent CVEs