Our static code scanner reports that the latest version of ESAPI (2.5.1.0) depends on the Apache Commons FileUpload library version 1.4 which is vulnerable to CVE-2023-24998

Are you planning on releasing a new version that uses version 1.5 and configures it so that the vulnerability is mitigated by default:

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

If not, can you recommend a way to address this vulnerability report?