Drop the json-lib dependency and ban old commons-lang

json-lib is not maintained for a very long time, and it requires commons-lang (2.x) which has known security vulnerabilities. We need to drop json-lib even if this means partially breaking backwards compatibility for $jsontool.parse(). The tradeoff is to keep the $jsontool.parse() method but change its return type to Object, which should preserve backwards compatibility with most Velocity scripts, if they don't assume the return type is net.sf.json.JSON.