com.h2database is pulled in as non-optional dependency

[fjakop]

We're using "com.github.pjfanning:excel-streaming-reader:4.3.1" in our application and since there's a compile dependency to h2 so we have to exclude it explicitly.

We would suggest h2 to be an optional dependency because the use in production is a very rare case in our opinion.

Btw, the version 2.2.224 comes with a vulnerability CVE-2018-14335 / sonatype-2018-0863.

[pjfanning]

I would be interested in you providing a description about how a user of poi-shared-strings or excel-streaming-reader can exploit that CVE. The only classes used here are the MVStore classes.

I understand that h2 can be made optional but scaremongering about CVEs that don't affect this use case is not the way to go about it.

excel-streaming-reader is probably where I would start if I was to start making the dependencies optional. Its dependency on poi-shared-strings can be made optional. That would have to happen in a major release for semver reasons.

[fjakop]

but scaremongering about CVEs that don't affect this use case is not the way to go about it.

I totally agree with you on this point, but in a company with a strict governance process on dependencies and possible vulnerabilities the waiving process is a pita, so when there's nothing to waive is much better than to explain why the software is not affected..

We're looking forward to the next major release. Thanks.