Dependency on Guava

[XSpielinbox]

The Mongock Driver API has a compile dependency on com.google.guava:guava:jar:30.1.1-jre.
This get's flagged vulnerable to CVE-2020-8908.
To attest that we are not affected, I wanted to check that the problematic method isn't used.
When looking at the source code though, I could not find any usage of guava in the mongock driver api. I, unfortunately, could not verify that it really isn't used because when trying mvn verify, I constantly get test failures in the dynamodb-driver that it could not connect to RYUK or something like that. However, TESTCONTAINERS_RYUK_DISABLED=true mvn verify didn't help with that, though that should disable the use of RYUK (I use Podman and therefore RYUK is not needed and this actually does the trick in some other Testcontainer code I have).

My real question would therefore be: Is Mongock vulnerable? Is this maybe a dependency that isn't needed and can be removed?

The intermediate questions for that would be: How can I skip the dynamodb tests or only build the Mongock Driver API subproject? Regardless, figuring out why these tests fail, might be interesting too, of course.