libexpat 2.2.6 version presents some vulnerabilities

Hi All,

The embedded version of libexpat (2.2.6) in VTK presents some vulnerabilities :

Would it be possible to bump the version to 2.2.8 before the upcoming 9.0 release ?
Or is there a way to build VTK without the use of this library?

@ben.boeckel Should I prepare a PR for this ?
Can that kind of change (upgrading a lib version) have a big impact on the framework ?

I tried updating in and found issues (noted in this comment). This issue is what resulted.