Update Apache POI and POI Scratchpad

Question

Update Apache POI and POI Scratchpad

Faelean opened this issue 2 years ago · 4 comments

Hey,

there is a CVE for the POI version that is currently used (https://nvd.nist.gov/vuln/detail/CVE-2022-26336).
Is it possible to just replace the dependencies on our own and update to 5.2.2 or are there any breaking changes that would prevent SJW from working if we do that?

Answer 1 · 2022-05-13T19:00:10.000Z

POI is used solely for the Outlook conversion support. If you don't use that you can just exclude that module altogether (or just exclude the dependencies).

If you do rely on that module, well I just tried and ran all the tests from the project with the newer POI version without any problems. So you could also just pin the POI dependency version to 5.2.2.

Answer 2 · 2022-05-13T19:10:54.000Z

FYI, I've released outlook-message-parser 1.9.0, which has the newer dependencies. You could now also just pin this version instead of managing POI directly.

Answer 3 · 2022-05-18T15:15:24.000Z

Thanks for the quick update, much appreciated.
We're using the Outlook conversion so removing the module isn't an option, but knowing that we can just replace POI until we release a new version is great.

Answer 4 · 2022-07-12T12:34:45.000Z

Released in 7.1.2