This upgrade is already in trunk. On the other hand, I so no need to expedite a 
release. 

Users control their own builds. They can add explicit dependencies on 
commons-compress and use the latest version.

This is a rehash of a previous email thread on this mailing list.

https://lists.apache.org/thread/j1zq82m75kwxkymp29rhnxxw2bowy5sv






On Wednesday 15 May 2024 at 17:36:25 IST, Dave Fisher <w...@apache.org> wrote: 





Hi Stephan,

Two answers.

1) Please list the CVEs that would be fixed. It’s quite possible they have no 
impact on POI or XMLBeans.

2) Please consider submitting a PR to make the fix. We can always use more 
contributors and everyone here is a volunteer.

Best,
Dave

> On May 15, 2024, at 2:23 AM, Stefan Bischof <stbisc...@bipolis.org> wrote:
> 
> hi,
> 
> could you please plan a new release to get rid of CVE  from 
> apache-commons-compress 1.25.0 -> 1.26.1
> 
> bests
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
> For additional commands, e-mail: dev-h...@poi.apache.org

> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Reply via email to