jtwig web has a dependency to guava version 18 that has a known vulnability:
https://nvd.nist.gov/vuln/detail/CVE-2018-10237

I'm not sure if this is really an issue with jtwig, but it triggers alerts with security scanners like Snyk or the OWASP-Dependency-Check. This might also cause projects to run on older versions of guava, depending on the order of dependencies in the build file and expose them to this issue. So I suppose we update to the latest guava version, or at least 24.1.1 where this issue was fixed.