Update dependency com.google.code.gson:gson to v2.8.9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
com.google.code.gson:gson	2.3.1 → 2.8.9

GitHub Vulnerability Alerts

CVE-2022-25647

The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.

---

Release Notes

google/gson (com.google.code.gson:gson)

v2.8.9

• Make OSGi bundle's dependency on sun.misc optional (#​1993).
• Deprecate Gson.excluder() exposing internal Excluder class (#​1986).
• Prevent Java deserialization of internal classes (#​1991).
• Improve number strategy implementation (#​1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (#​1990).
• Support arbitrary Number implementation for Object and Number deserialization (#​1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (#​1980).
• Don't exclude static local classes (#​1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (#​1959).
• Improve Maven build (#​1964).
• Make dependency on java.sql optional (#​1707).

v2.8.8

• Fixed issue with recursive types (#​1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (#​1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (#​1495).

v2.8.7

• Fixed ISO8601UtilsTest failing on systems with UTC+X.
• Improved javadoc for JsonStreamParser.
• Updated proguard.cfg (#​1693).
• Fixed IllegalStateException in JsonTreeWriter (#​1592).
• Added JsonArray.isEmpty() (#​1640).
• Added new test cases (#​1638).
• Fixed OSGi metadata generation to work on JavaSE < 9 (#​1603).

v2.8.6

2019-10-04 GitHub Diff

• Added static methods JsonParser.parseString and JsonParser.parseReader and deprecated instance method JsonParser.parse
• Java 9 module-info support

v2.8.5

2018-05-21 GitHub Diff

• Print Gson version while throwing AssertionError and IllegalArgumentException
• Moved utils.VersionUtils class to internal.JavaVersion. This is a potential backward incompatible change from 2.8.4
• Fixed issue #​1310 by supporting Debian Java 9

v2.8.4

2018-05-01 GitHub Diff

• Added a new FieldNamingPolicy, LOWER_CASE_WITH_DOTS that mapps JSON name someFieldName to some.field.name
• Fixed issue #​1305 by removing compile/runtime dependency on sun.misc.Unsafe

v2.8.3

2018-04-27 GitHub Diff

• Added a new API, GsonBuilder.newBuilder() that clones the current builder
• Preserving DateFormatter behavior on JDK 9
• Numerous other bugfixes

v2.8.2

2017-09-19 GitHub Diff

• Introduced a new API, JsonElement.deepCopy()
• Numerous other bugfixes

v2.8.1

2017-05-30 GitHub Diff

• New: JsonObject.keySet()
• @JsonAdapter annotation can now use JsonSerializer and JsonDeserializer as well.

v2.7

2016-06-14 GitHub Diff

• Added support for JsonSerializer/JsonDeserializer in @​JsonAdapter annotation
• Exposing Gson properties excluder(), fieldNamingStrategy(), serializeNulls(), htmlSafe()
• Added JsonObject.size() method
• Added JsonWriter.value(Boolean value) method
• Using ArrayDeque, ConcurrentHashMap, and other JDK 1.6 features
• Better error reporting
• Plenty of other bug fixes

v2.6.2

2016-02-26 GitHub Diff

• Fixed an NPE bug with @​JsonAdapter annotation
• Added back OSGI manifest
• Some documentation typo fixes

v2.6.1

2016-02-11 GitHub Diff

• Fix: The 2.6 release targeted Java 1.7, but we intend to target Java 1.6. The
  2.6.1 release is identical to 2.6, but it targets Java 1.6.

v2.6

2016-02-26 GitHub Diff

• Fixed an NPE bug with @​JsonAdapter annotation
• Added back OSGI manifest
• Some documentation typo fixes

v2.5

2015-11-24 GitHub Diff

• Updated minimum JDK version to 1.6
• Improved Date Deserialization by accepting many date formats
• Added support for java.util.Currency, AtomicLong, AtomicLongArray, AtomicInteger, AtomicIntegerArray, AtomicBoolean. This change is backward-incompatible because the earlier version of Gson used the default serialization which wasn't intuitive. We hope that these classes are not used enough to actually cause problems in the field.
• Improved debugging information when some exceptions are thrown

v2.4

2015-10-04

• Drop IOException from TypeAdapter.toJson(). This is a binary-compatible change, but may
  cause compiler errors where IOExceptions are being caught but no longer thrown. The correct fix
  for this problem is to remove the unnecessary catch clause.
• New: Gson.newJsonWriter method returns configured JsonWriter instances.
• New: @SerializedName now works with [AutoValue’s][autovalue] abstract property methods.
• New: @SerializedName permits alternate names when deserializing.
• New: JsonWriter#jsonValue writes raw JSON values.
• New: APIs to add primitives directly to JsonArray instances.
• New: ISO 8601 date type adapter. Find this in extras.
• Fix: FieldNamingPolicy now works properly when running on a device with a Turkish locale.
  [autovalue]: https://github.com/google/auto/tree/main/value

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.