Update libraries against known CVE security fixes

[fbascheper]

I'm using the Telegram Bots API for the Kafka Connect telegram sink. Thanks to the Snyk.io scanner I've become aware of security leaks introduced by Jackson libraries used in the Telegram Bots API.

These include:

• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450
• https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451
• https://app.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236

Remediations:

• Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.7 or higher.
• Upgrade com.google.guava:guava to version 24.1.1 or higher.

The Guava dependency is introduced through com.google.inject:guice@4.1.0. By upgrading guice to 4.2.2, the guava dependency is upgraded to 25.1-android which fixes the CVE issue.

[fbascheper]

Hmm, according to https://github.com/google/guava/issues/2824 the guava people introduced some unnecessary new dependencies that used to be optional and can be safely excluded ahead of the guava 23 release.