Bumped javapos-config-loader to version 4.0.1 getting rid of Xerces.

Author: kuniss

README.md

@@ -9,6 +9,9 @@ The UnifiedPOS reference implementation for Java provided by UnifiedPOS committe
 
 Use this library, if your are implementing JavaPOS device services or an JavaPOS application using the [reference implementation of device controls](https://github.com/JavaPOSWorkingGroup/javapos-controls) provided by this group (instead of using your own). In that case this library is valid to be deployed to production environments too.
 
-If you have implemented your own version of device controls use the both libraries [javapos-contracts](https://github.com/JavaPOSWorkingGroup/javapos-contracts) and [javapos-config-loader](https://github.com/JavaPOSWorkingGroup/javapos-config-loader) instead of this one to avoid class ambiguities on your classpath.
+If you have implemented your own version of device controls, do not use this libraray! Use the both libraries [javapos-contracts](https://github.com/JavaPOSWorkingGroup/javapos-contracts) and [javapos-config-loader](https://github.com/JavaPOSWorkingGroup/javapos-config-loader) instead of this one to avoid class ambiguities on your class-path.
+
+Since version 1.15.4 of this package, the [javapos-config-loader](https://github.com/JavaPOSWorkingGroup/javapos-config-loader) version 4.0 gets incorporated which does not have a Xerces dependency anymore. Instead the XML parser from the Java framework library is used. This solves mainly vulnerability issues, no new functionality was added.
+If you need to use the older version 3 of the JavaPOS Config Loader provided by [javapos-config-loader](https://github.com/JavaPOSWorkingGroup/javapos-config-loader) then do not use this library! Instead, use the three libraries [javapos-contracts](https://github.com/JavaPOSWorkingGroup/javapos-contracts), [javapos-config-loader](https://github.com/JavaPOSWorkingGroup/javapos-config-loader), and [javapos-controls](https://github.com/JavaPOSWorkingGroup/javapos-controls) for their own to have control of their specific versions.
 
 NOTE: The documentation shown here in the past about project evolving has been moved to a [Wiki page](https://github.com/JavaPOSWorkingGroup/javapos/wiki/Migrating-to-And-Joining-All-Sources-At-GitHub). 

build.gradle

@@ -28,13 +28,12 @@ wrapper {
 def artifactName = 'javapos'
 group='org.javapos'
 def uposVersion = '1.15'
-version="${uposVersion}.3" // the last part after dot is the build/release version
+version="${uposVersion}.4" // the last part after dot is the build/release version
 
 // dependency versions
 def javaposContractsVersion = "$uposVersion.3"
 def javaposControlsVersion  = "$uposVersion.0"
-def jclVersion = '3.1.0'
-def xercesVersion = '1.2.3'  // artificial dependency inherited from javapos-config-loader - take over from there
+def jclVersion = '4.0.1'
 
 ///////////////////////////////////////////////////////////////////////////////
 // Build Dependencies
@@ -73,8 +72,6 @@ configurations {
 }
 
 dependencies {
-    api "xerces:xerces:$xercesVersion" // artificial dependency inherited from javapos-config-loader
-
 	javaposLibs ("org.javapos:javapos-contracts:$javaposContractsVersion") { transitive = false } 
 	javaposLibs ("org.javapos:javapos-controls:$javaposControlsVersion") { transitive = false }
 	javaposLibs ("org.javapos:javapos-config-loader:$jclVersion") { transitive = false }