Move dependencyManagement entries to plain dependencies

Some libraries with upstream CVEs (including XercesImpl) are currently updated via the `dependencyManagement` mechanism.

This means they are not seen by downstream projects (e.g. dms) using this library which then have to repeat the override.