[SECURITY] run.mone:excel has dangerously outdated poi and xmlbeans dependencies

[pjfanning]

https://mvnrepository.com/artifact/run.mone/excel/1.6.1-jdk21

POI and XMLBeans have CVEs. Excel is a very exploitable attack vector for malicious actors.

Please ditch run.mone/excel if they can't produce versions that use secure dependencies.

There only appears to be 1 class in this jar and it should be easy to copy the code into Ozhera instead of using the jar and to then update the code to use the latest POI and XMLBeans releases.

[pjfanning]

If you look at XiaoMi/mone#1075, there are a number of poi and xmlbeans dependencies that seem unnecessary. Some of these jars are large and have CVEs.

[psxjoy]

This looks like a simple task.
Maybe we can pin this issue as a good first issue for a new contributor? @gaoxh

[gaoxh]

If you look at XiaoMi/mone#1075, there are a number of poi and xmlbeans dependencies that seem unnecessary. Some of these jars are large and have CVEs.

Thank you very much for your suggestion, which is very valuable to us. We will solve this problem as soon as possible. I am sorry that we ignored this problem before releasing the version. I am not sure whether this will affect our release of the current version. Can we reflect the fix of this problem in the next version?

[gaoxh]

This looks like a simple task. Maybe we can pin this issue as a good first issue for a new contributor? @gaoxh

That's a good suggestion, we'll improve it right away.

[pjfanning]

I have raised no issues that block the current RC from being released.

[gaoxh]

Thanks to pj, your help and suggestions have given me better ideas and methods to solve the problem.