Consider updating commons-compress to 1.19, due to CVE-2019-12402. The owasp plugin complained when I used poi-ooxml 4.1.0.
Thanks for reporting this. The update is in trunk and will appear in next release.