Skip to content

Upgrade to Apache POI 5.5 #36174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhoeller merged 1 commit into from
Jan 19, 2026
Merged

Upgrade to Apache POI 5.5 #36174

jhoeller merged 1 commit into from
Jan 19, 2026
+2 −2

Conversation

@shub-est
Copy link
Contributor

@shub-est shub-est commented Jan 19, 2026

1. Why:
To remove CVEs

2. What:
Upgraded Constraints for Apache POI OOXML from 5.2.5 to 5.5.1 to remediate CVE-2024-25710, CVE-2024-26308 and CVE-2025-31672
Upgraded Apache Commons IO from 2.15.0 to 2.21.0 for compatibility with Apache POI

@shub-est
Upgraded Apache POI and Commons IO to remediate CVEs
c573ebb 
Signed-off-by: Shubham Kalloli <shubham.kalloli@est.tech>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 19, 2026
@jhoeller
Copy link
Contributor

jhoeller commented Jan 19, 2026

Note that these are just optional compilation dependencies at the Spring Framework level, with no immediate relevance for CVE purposes. Only the versions brought in by Spring Boot's dependency management matter in that regard. Also, we do not usually rely on PRs for dependency upgrades but rather self-manage those before releases.

That said, POI is nevertheless worth upgrading, also for compatibility testing against the latest. For that reason, I'll merge the PR. Thanks for pointing out that we were several feature releases behind there already!

@jhoeller jhoeller self-assigned this Jan 19, 2026
@jhoeller jhoeller added type: dependency-upgrade A dependency upgrade and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 19, 2026
@jhoeller jhoeller changed the title Upgraded Apache POI and Commons IO to remediate CVEs Upgrade to Apache POI 5.5 Jan 19, 2026
@jhoeller jhoeller added this to the 7.0.4 milestone Jan 19, 2026
@shub-est
Copy link
Contributor Author

shub-est commented Jan 19, 2026

Thank you for your prompt review and explanation.

@jhoeller jhoeller merged commit a8c33c1 into spring-projects:main Jan 19, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jhoeller jhoeller

Labels

type: dependency-upgrade A dependency upgrade

Projects

None yet

Milestone

7.0.4

Development

Successfully merging this pull request may close these issues.

3 participants

@shub-est @jhoeller @spring-projects-issues