Apache Batik 1.13 vulnerabilities: - CVE-2020-11987 (Apache Batik 1.13) - CVE-2020-11988 (Apache XmlGraphics Commons 2.4) Reviewing the repository I found that you already bump Batik from 1.13 to 1.14. Given this reported vulnerabilities, could you make a new release with the updated dependencies?
This work is done. POI 6.0.0 (probable next release number) will be released when it is ready. Users can add explicit dependencies in their builds to batik 1.14 or exclude batik transitive dependency if they don't need it (only a small number of POI APIs need batik to work).
Thanks for the response.