No matter how straight-forward to It may be tweak the transitive dependency, there is an aversion by some to doing this rather than getting an updated version of velocity that includes the fix outright.
This issue was resolved a year ago and still has not been released.
Would it not be possible to actually get this pushed out the door?
I see that v1.x has only 1 outstanding planned issue (out of 8).
VELOCITY-862: Applied to 1.x branch and Resolved... and then "Reopening at Nathan's suggestion that we may want to apply this to 2.x"
Velocity 2.x also has only 1 outstanding planned issue (out of 118):
Both VELOCITY-862 and VELOCITY-876 are improvements, not defects.
There is another reason to release Velocity... v1.7 is now giving alerts in scanning software due to age... "architectural age" policy in Sonatype Nexus IQ and (from memory) "Operational Risk" in Black Duck Hub. Such alerts are more than enough on their own to cause some managers to issue instructions to remove Velocity entirely.
All the above for Velocity also applies to Velocity Tools.
Perhaps connected to all of the above... does this JIRA project still have an active project lead? Will Glass-Husain's last activity stream entry is from 2014.