Do not rely on svm scope set to provided in the BoM

[ppalaga]

This PR does the following:

• Sets an explicit <scope>provided</scope> on every svm dependency
• Removed svm dependencies from deployment modules where it is redundant

Motivation:

Relying on a provided or test scope defined in BoM is not necessarily a good practice. People seeing

        <dependency>
            <groupId>org.graalvm.nativeimage</groupId>
            <artifactId>svm</artifactId>
        </dependency>

may naturally expect that the scope is compile, but it is not because it is set in the BoM. When people see this in Quarkus they may think that svm should actually have the compile scope and they may wrongly copy it in that way to their extension projects. That may lead to bugs like apache/camel-quarkus#1182.

I think it is safer for all parties to have an explicit <scope>provided</scope> on all places where the dependency is used.

[gastaldi]

I agree 100%. Perhaps it's safer to remove the scope from the BOM in this PR as well?

[ppalaga]

I agree 100%. Perhaps it's safer to remove the scope from the BOM in this PR as well?

Thrid party extensions importing our BOM may rely on that. We should send a warning via dev ML and platform ML first.