[fix] Exclude commons-lang dep from bookkeeper

[merlimat]

Motivation

Certain components of BookKeeper are still including the old commons-lang dependency (which is already replaced by commons-lang3.

We should exclude to avoid CVE:

│ commons-lang:commons-lang                                   │ CVE-2025-48924 │ MEDIUM   │          │ 2.6               │                │ commons-lang/commons-lang: org.apache.commons/commons-lang3: │
│ (commons-lang-commons-lang-2.6.jar)                         │                │          │          │                   │                │ Uncontrolled Recursion vulnerability in Apache Commons Lang  │
│                                                             │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2025-48924                   │
├─────────────────────────────────────────────────────────────┤                │          │          │                   ├────────────────┤                                                              │

Modifications

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository:

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.23%. Comparing base (8e35e34) to head (b10f315).

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #24749      +/-   ##
============================================
- Coverage     74.26%   74.23%   -0.03%     
+ Complexity    33635    33614      -21     
============================================
  Files          1900     1900              
  Lines        148425   148425              
  Branches      17209    17209              
============================================
- Hits         110225   110181      -44     
- Misses        29426    29442      +16     
- Partials       8774     8802      +28     

Flag	Coverage Δ
inttests	26.24% <ø> (-0.82%)	⬇️
systests	22.73% <ø> (-0.06%)	⬇️
unittests	73.74% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 83 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.