Something we need to get informed about is jars with shaded dependencies. Daffodil uses lots of other software, and we've recently seen dependency conflicts with frameworks that people want to use like XMLCalabash where we are using more recent versions of many dependencies, and the opposite is also true where we get behind the upgrade curve on libraries.
I don't know that we would want to shade all daffodil's dependencies. To some degree if you incorporate a specific shaded dependency you take on responsibility for the security bugs of those libraries, but some of them like ICU, and perhaps xerces, it seems sensible enough. This seems to be a new thing in the JVM world vs. the older java module systems I've attempted to use, but failed with (OGSI) for complexity reasons.
