Question please: as far as I can see it, Batik still pulls JAXEN/XercesImpl -- has this been taken care of?
On Thu, 2022-09-22 at 23:15 +0700, Andreas Reichel wrote: > Thanks for the heads up! > I wished Apache FOP (or central apache) would be so alert. > > Much appreciated! > Cheers > Andreas > > > > On Thu, 2022-09-22 at 15:49 +0000, PJ Fanning wrote: > > Hi everyone, > > > > Apache Batik [1] is used by Apache POI to work with SVG pictures > > that > > can be embedded in Microsoft documents. It is an optional > > dependency > > of poi-ooxml and it appears that we only support it in the XSLF > > packages for pptx files. > > > > Batik 1.15 has just been released and contains a number of security > > fixes. [2] [3] [4] > > > > We recommend that all users who use the Batik support in poi-ooxml > > upgrade to Batik 1.15. We do not expect that anyone upgrading from > > batik 1.14 to 1.15 will see any issues. > > There is no plan to do a special POI release because this an > > optional > > dependency. > > > > [1] https://xmlgraphics.apache.org/batik/ > > [2] > > https://lists.apache.org/thread/s1jobjxpljx4oygfqjqqfrohnfyyhlbq > > [3] > > https://lists.apache.org/thread/lnh1tnc8gh9r4vh69x3nljcx55v43tcj > > [4] > > https://lists.apache.org/thread/zx2jjvdow82p058sovr5qnxprsq87rg7 > > > > ------------------------------------------------------------------- > > -- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > >
