build: Transition dependency to org.eclipse.parsson groupId

[bmuschko]

Description of Change

Switches org.glassfish:jakarta.json is org.eclipse.parsson:jakarta.json as proposed by the Eclipse Parsson project.

A security scanner in use flagged CVE-2023-4043 and CVE-2023-7272 for org.glassfish:jakarta.json. My guess is that it creates an association between those dependencies automatically.

Why the Switch?

1. Official Project Transition (June 2021): The Jakarta JSON Processing implementation was officially moved from org.glassfish to Eclipse Parsson as a standalone project under Eclipse Foundation governance.
2. Provider Implementation Change: In Jakarta JSON API 2.1.2, the default provider changed from:
   - Old: org.glassfish.json.JsonProviderImpl
   - New: org.eclipse.parsson.JsonProviderImpl
3. End of GlassFish Releases: org.glassfish:jakarta.json stopped at version 2.0.1 (4+ years ago) when the project transitioned to Eclipse Parsson.
4. Active vs. Frozen Development:
   - org.glassfish:jakarta.json - Frozen at 2.0.1 (no security updates)
   - org.eclipse.parsson:jakarta.json - Active (regular security patches and updates)
5. Security Vulnerabilities: The frozen GlassFish version won't receive fixes for vulnerabilities like CVE-2023-4043 and CVE-2023-7272, which were fixed in Eclipse Parsson 1.1.4+.

Bottom Line

Eclipse Parsson is not an alternative—it's the official successor. Continuing to use org.glassfish:jakarta.json means using an abandoned artifact that won't receive security updates or compatibility improvements for newer Jakarta EE specifications.

Related issues

#8127

Have test cases been added to cover the new functionality?

no

[jeremylong]

LGTM

[jeremylong]

Thanks for the PR!