fix: version-gate defusedxml by Python version

[vasiliadi]

Summary

Version-gate the XML backend and dependency so Python 3.8-3.10 keeps using defusedxml, while Python 3.11+ uses the stdlib xml.etree.ElementTree backend.

Why

PR #352 made defusedxml unconditional for all supported Python versions.

We’re now gating it because Python’s XML security guidance changed in python/cpython#135294. That change narrows the practical risk to older Expat versions and removes the older blanket recommendation pattern for always using defusedxml.

For this project, we chose the simple version-based rule:

• Python 3.8-3.10: keep defusedxml
• Python 3.11+: use stdlib ElementTree

The reason for that cutoff is to preserve extra protection on older supported Python versions while avoiding an unnecessary hard dependency on newer Python versions.

Validation

• Ran the full test suite on Python 3.9.6: 79 passed, 5 skipped
• Ran the full test suite on Python 3.12.12: 79 passed, 5 skipped
• Verified Python 3.9 resolves defusedxml
• Verified Python 3.12 resolves without defusedxml

[coveralls]

Coverage Report for CI Build 25830137455

Coverage remained the same at 100.0%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	508
Covered Lines:	508
Line Coverage:	100.0%
Coverage Strength:	7.0 hits per line

---

💛 - Coveralls

[vasiliadi]

Or, alternatively, we could stop supporting Python 3.10 since it's nearing end-of-life. And revert #352

Also, this could be done after the EOL of 3.10.