I expect this bug is entirely harmless – there should be no reason to parse XML while cloning a Git repository – though the presence of this old package is enough to trip alarm bells in security tools.
(I did go hunting for a way to override the default, but it would appear as though this is a fixed constant.)
We had previously upgraded to 3.13 and then had to rollback due to dns issues with 3.13. There are also reports of dns issues in Kubernetes, and it is unclear that those are resolved in newer versions. These dns issues effectively caused outages for a large percentage of our installations. Since these security issues do not pose a practical threat to Drone users, we are taking a conservative approach to updates at this time. It is something we will look to resolve, but only once we are sure the dns issue is mitigated.
I did go hunting for a way to override the default, but it would appear as though this is a fixed constant