The Jasperreports library is reliant on "xalan.jar", which has a security vulnerability. Also, there is no latest version without vulnerability of "xalan.jar" available. Hence, we are planning to remove this jar from our environment, but it is causing functionality to break.
As per our understanding, the Xalan jar is dormant and, in the future, it will be retired. The solution is that the Java runtime includes the Xalan package in Open JDK, which needs to be used to replace the Apache Xalan jar.
Please let us know if we have any plans to remove the dependency of xalan.jar for the jasperreport library in future releases.