Note that these are just optional compilation dependencies at the Spring Framework level, with no immediate relevance for CVE purposes. Only the versions brought in by Spring Boot's dependency management matter in that regard. Also, we do not usually rely on PRs for dependency upgrades but rather self-manage those before releases.

That said, POI is nevertheless worth upgrading, also for compatibility testing against the latest. For that reason, I'll merge the PR. Thanks for pointing out that we were several feature releases behind there already!