Consider additional dependencies for performance, security

[bollwyvl]

Thanks again for graphtage!

While I haven't used XML diffing in anger yet, it would be interesting to explore some (optional) dependencies to increase the robustness and performance of that component:

• lxml has the same API, but better performance, than stdlib
• defusedxml helps prevent well-known malicious XML attacks that works with stdlib or lxml

Similarly, a number of far-higher performance JSON parsers are available, with different ease-of-installation/speed/memory tradeoffs for which it might be hard to anticipate user preference:

• ujson
• orjson
• pysimdjson

If there is interest, I could probably take a stab at a PR for this:

• change the json API to accept an optional parser
  • add extras with a sensible bottom version pins
• change the xml API to accept an optional parser
  • add defusedxml in install_requires
  • add lxml in an extras section
    • or install_requires, as "complexity of installation" is no longer really a concern once scipy enters the picture...
• test against different combinations with tox in CI