Quite controversial topic. SparseBitSet library consists of single class (https://github.com/brettwooldridge/SparseBitSet/tree/master/src/main/java/com/zaxxer/sparsebits), which can be considered stable and tested over the years. It is distributed under Apache 2.0 license so I assume it would be legal to clone it (keeping the original author credits) under some POI namespace and make it integral part of POI.
This will probably not happen due to the licensing implications and the fact that we would have to sped time checking if bugs had been reported or fixed in upstream project (which is easier done with dependabot).
*** Bug 65789 has been marked as a duplicate of this bug. ***
*** Bug 65787 has been marked as a duplicate of this bug. ***
https://github.com/brettwooldridge/SparseBitSet/issues/21 is the real issue - and the original issue https://bz.apache.org/bugzilla/show_bug.cgi?id=65787 has comments about how the reporter can workaround this non-POI issue.
I just looked where SparseBitSet is used in the POI code base, and to me it looks like there might be better alternatives. One example is a map with strings as keys. These are converted to ints, stored in a SparseBitSet, and then that bitset is used to determine the next free index into the map. It seems like the wrong tool for the task. I will look into this and the other instances where it is used and probably prepare a PR. If it turns out we still need the SparseBitSet, I will create a PR for the upstream project, otherwise I think the dependency should simply be removed.
curvesapi jar does not seem to have module setup either - just to highlight that there are a fair number of POI dependencies affected
Gracias
This is one among many POI jar dependencies that don't have Java module details set up (commons-io, commons-math are others)