Upgrade dependencies to fix high vulnerabilities

[samanthagottlieb]

What does this change?

This upgrades dependencies to resolve Snyk high vulnerabilities. Some dependencies have been manually overriden as the libraries dependent on them were using versions with vulnerabilities.

The sbt-dependency-graph plugin has been added to ensure the Snyk CLI and dashboard are accurate. See more here.

Note: there is one outstanding high vulnerability (io.netty:netty-codec-http2) introduced through the Guardian's simple-configuration-ssm package. There is an open PR addressing this. Once this is merged, the version of simple-configuration-ssm can be upgraded to resolve this.

How to test

• Run the rule manager and checker apps locally, following README instructions. Do they run as expected?
• Deploy this branch to CODE and check that rule manager and checker run as expected

How can we measure success?

There are no longer any high vulnerabilities (with the exception of the io.netty:netty-codec-http2 vulnerability) in the Snyk typerighter project.

[samanthagottlieb]

This is great! One comment about dependencyTree, and it'll need a check in CODE to make sure everything's working as expected. Back in on Monday and happy to do that as part of the review.

One thing we'll need to check when we're upgrading LanguageTool – whether it affects any of the built-in rules we depend upon.

There's a bit in the README here that I think we could expand on!

If it'd be useful, be really happy to pair on this – this is a bit obscure, and I want to make sure the docs and process are as sane as possible 🙏

I've deployed to CODE and checked that the rule manager and checker are running as usual 👍.

Thanks for the link to the Language Tool section of README. Pairing on this on Monday would be great!

[samanthagottlieb]

Just a note that I've deployed this to CODE, tested the rule manager and checker, and also tested running TR in Composer CODE. All seems to be working as expected!