All, POI just made a release that fixes a DoS CVE[1]. I've upgraded both main and 1.x. We should probably plan to start a release in the next few weeks? Anything else we should wait for or try to get into the next releases?
Best,
Tim
[1] https://lists.apache.org/thread/ckz7nn1rzpclrx8nh32wk6jyx3kwfjgc
