IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it might also be used for generating source maps at build time, I don't remember) ; sourcemaps are bundled with your application so they can hardly be considered "untrusted data".
James (mime4j) is a transitive dependency of HTMLUnit, used for testing. It's not clear whether the mime4j component of James is vulnerable (I'd say no), but it's only used for unit tests where I'd say you shouldn't load any untrusted data.
Jetty as used in GWT won't do HTTP/2.
So, the only possible attack surface would be untrusted URLs loaded during tests.