fix: use the first version when a dependency is listed multiple times in `pom.xml` files

[G-Rath]

Per https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies

Note that if two dependency versions are at the same depth in the dependency tree, the first declaration wins.

It doesn't seem to explicitly mention what happens when there are duplicate packages for dependency management so I've assumed it follows the same behaviour.

[G-Rath]

Turns out that Maven itself doesn't follow this so for now let's keep it as-is since that's the more real-world behaviour.

See https://github.com/google/osv-scanner/issues/589#issuecomment-1762515322