Change jackson-databind dependency to not being shipped transitively

[plumstone]

Fixes #60

This PR is a proposal for a long-term solution for the continuous maintenance of the jackson-databind library.

The user of jackson-databind-nullable will be forced to explicitly declare the dependency on jackson-databind. This gives him full control over the jackson version he uses for his project.

In the past, jackson-databind has been known to have some vulnerabilities.
With this change, the consumer is no longer directly bound to the jackson version that jackson-nullable was built with.

If you have any concerns, please let me know. I welcome any feedback.

[domids]

Minor typo - I think it should be "version 0.2.7" instead of "version 2.0.7" :)

[Maran23]

I think this is a good idea. This need to be documented when it is merged in the release notes / changelog.
Consumers will notice if the jackson dependency need to be added explicitly as well.

[wing328]

Thanks for the PR and sorry for late reply,.

We're looking for maintainers: #71

Let me know if you're interesting in maintaining this project. Thank you.

[nrayburn-tech]

This works, but I don't think it's a common approach. I'm not sure it's the right thing to do.

For example, spring-webmvc also contains a compile scope dependency on spring-core. It doesn't contain a provided scope dependency on spring-core.

[Til7701]

The given examples are submodules of projects of the same organization. This is an independent project. That said, this projects almost looks like a Jackson project given the name. I think we can still include it, if this project is more actively maintained in the future. Users of this library can also override the version, if needed.
Furthermore, this is a major breaking change. We could discuss that again, when we upgrade to Jackson 3.

[nrayburn-tech]

The version has been updated and dependabot is setup for regular updates.

Given the project relies on jackson-databind, I don’t think we should change the scope to provided. (Either now or in a major version change).

Users should always provide the version of Jackson they want to use. However, this project should also keep databind as a compile time dependency to follow what I believe is the regular expectation from users.

[plumstone]

I am okay with the decision to not change the dependency scope to provided. Since the dependabot is set up to update the dependencies, it seems less likely that this repo gets outdated soon.