JSR 305 dependency should be optional

[garretwilson]

Currently you're bringing in the JSR 305 annotations with no caveats:

        <dependency>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>jsr305</artifactId>
            <version>3.0.2</version>
        </dependency>

But you don't use them at runtime, so it's better if you declare them as <optional>true</optional> so that they don't force this dependency on downstream projects. See my lesson Contract Programming which discusses this more.

This issue is now becoming important because JSR 305 hit a dead end and has been dormant for ages. Many libraries such as Guava and JUnit and Spring have moved to the new JSpecify, so without this change your library will be forcing an obsolete library on applications, against current trends, with no benefits. (My lesson above is also out of date; it needs to be updated to reference JSpecify.)

I don't believe there are any downsides to your making it optional.

In the meantime I'll need to exclude it from my root POM when declaring the Faux Pas dependency:

<dependency>
    <groupId>org.zalando</groupId>
    <artifactId>faux-pas</artifactId>
    <version>0.9.0</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>jsr305</artifactId>
        </exclusion>
    </exclusions>
</dependency>