Explicitly declaring xstream to override a transitively imported version affected by CVE

Explicitly declaring xstream to override a transitively imported version affected by CVE #1097