Upgrade Apache POI 3.9 -> 4.x

Question

Upgrade Apache POI 3.9 -> 4.x

gnanaravindhan opened this issue 5 years ago · 6 comments

so much of dependency issue when using with other libraries, since most are supporting 4.x

Answer 1 · 2019-12-01T13:16:54.000Z

I'll look into it.

Answer 2 · 2020-01-09T12:21:48.000Z

Any update on this? The used 3.9 has multiple vulnerabilities (https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aapache%3apoi%3a3.9).
We've updated to the last 3.x (3.17) which reduces that number to one (https://nvd.nist.gov/vuln/detail/CVE-2019-12415), but we'd still have to explain why this one isn't relevant for us.

Answer 3 · 2020-01-09T13:14:39.000Z

Understood. I'll try to deal with this this week. In the mean time, feel free to explore the implications of the upgrade (or even provide a PR).

Answer 4 · 2020-01-09T17:43:31.000Z

Hmm, I just changed the dependency to 4.1.1 and didn't need to change anything. Anything specific I might want to take into account?

One thing is that the minimum supported Java is now Java 8, while Simple Java Mail, which relies on this library requires minimum support of Java 7. That's a bit of a problem.

Actually, since the library seems to work fine with the newer version, one thing you can do is define the 4.x version in your <dependencyManagement/> to enforce that version is used (or the Gradle approach for that).

Answer 5 · 2020-01-09T19:43:59.000Z

Actually I'm going to turn that around. It'll have proper support for 4.x and Simple Java Mail will apply the <dependencyManagement /> to manage the version back.

Answer 6 · 2020-01-09T20:10:24.000Z

Released in 1.7.0, cheers!