ESAPI excludes transitive dependency xalan from xom, but does not include it itself

[in-fke]

Describe the bug
ESAPI excludes transitive dependency xalan from xom, but does not include it itself
see
https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L181C22-L181C73
it states

excluded because we directly import newer versions

Specify what ESAPI version(s) you are experiencing this bug in
2.5.2.0

To Reproduce
run mvn dependency:tree

Expected behavior
Expected to directly depend on xalan:xalan:2.7.3 (no need to exclude it, just explicitly add the dependency to raise the version)

[kwwall]

IIRC, the reason we excluded xalan in the first place was that had a log of unpatched known vulnerabilities and we didn't rely on any functionality in xom that used anything from xalan.

We are currently using xom:xom:1.3.8, but I just updated our pom to 1.3.9, which no longer has a dependency on xalan, so I simply removed that exclusion as well. It will be out in our next release. Thanks.

[in-fke]

Ok, great, that's even better!