bbottema/outlook-message-parser

Upgrade Apache POI 3.9 -> 4.x

gnanaravindhan opened this issue · 6 comments

so much of dependency issue when using with other libraries, since most are supporting 4.x

I'll look into it.

Any update on this? The used 3.9 has multiple vulnerabilities (https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aapache%3apoi%3a3.9).
We've updated to the last 3.x (3.17) which reduces that number to one (https://nvd.nist.gov/vuln/detail/CVE-2019-12415), but we'd still have to explain why this one isn't relevant for us.

Understood. I'll try to deal with this this week. In the mean time, feel free to explore the implications of the upgrade (or even provide a PR).

Hmm, I just changed the dependency to 4.1.1 and didn't need to change anything. Anything specific I might want to take into account?

One thing is that the minimum supported Java is now Java 8, while Simple Java Mail, which relies on this library requires minimum support of Java 7. That's a bit of a problem.

Actually, since the library seems to work fine with the newer version, one thing you can do is define the 4.x version in your <dependencyManagement/> to enforce that version is used (or the Gradle approach for that).

Actually I'm going to turn that around. It'll have proper support for 4.x and Simple Java Mail will apply the <dependencyManagement /> to manage the version back.

Released in 1.7.0, cheers!