Bump javax.el 3.0.0 to jakarta.el 4.0.2 to fix CVE-2021-28170

[tsg21]

The version of javax.el being pulled in by transaction-outbox has a CVE: https://www.cve.org/CVERecord?id=CVE-2021-28170

javax.el was renamed to jakarta.el as part of some earlier JDK work. The old javax.el is no longer maintained. This PR shifts transaction-outbox to the replacement library.

[tsg21]

This isn't quite right. It doesn't work with the hibernate bean validator:
https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#validator-gettingstarted-uel

Might need to bump that too.

[badgerwithagun]

Somewhere back in the mists of the GitHub log (and an actual release) you'll find this path has been trodden before. It broke nearly everything for everyone (spring, dropwizard and other major frameworks were still on javax.el) and was eventually reverted.

I'm all for giving it another crack, but a bit of a compatibility sweep will be in order.

[tsg21]

It doesn't feel like bean validation (and its jaxa.el/jakarta.el dependency) is a core part of the transaction-outbox offering. Ideally it would be hived off into an extension like you have with the Spring/Guice/etc. integrations. I imagine that would be a backwards-incompatible change though.

Can you take javax.el out of the core dependencies and document that users would need to pull in the library themselves?

[badgerwithagun]

It's purely a convenience and could easily be stripped out and replaced with a bunch of if conditions.

Easily done; just remove the dependency and systematically replace every use case.