This upgrade is already in trunk. On the other hand, I so no need to expedite a release.
Users control their own builds. They can add explicit dependencies on commons-compress and use the latest version. This is a rehash of a previous email thread on this mailing list. https://lists.apache.org/thread/j1zq82m75kwxkymp29rhnxxw2bowy5sv On Wednesday 15 May 2024 at 17:36:25 IST, Dave Fisher <w...@apache.org> wrote: Hi Stephan, Two answers. 1) Please list the CVEs that would be fixed. It’s quite possible they have no impact on POI or XMLBeans. 2) Please consider submitting a PR to make the fix. We can always use more contributors and everyone here is a volunteer. Best, Dave > On May 15, 2024, at 2:23 AM, Stefan Bischof <stbisc...@bipolis.org> wrote: > > hi, > > could you please plan a new release to get rid of CVE from > apache-commons-compress 1.25.0 -> 1.26.1 > > bests > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org