Would it be possible to consider moving the H??F code to a separate jar? That is, having the shared code in poi.jar but the X??F impls in poi-ooxml.jar and the H??F impls in poi-legacy.jar (or some better name). I would assume that a lot of the CVEs would relate to H??F code. In my team, we only use the XSSF code and our Security team disapprove of us using jar versions with any CVEs listed for them. poi-ooxml.jar depends on poi.jar and any H??F related CVEs would affect the poi.jar as things stand.
-- Sent from: http://apache-poi.1045710.n5.nabble.com/POI-User-f2280730.html --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
