Update dependency org.docx4j:docx4j-JAXB-ReferenceImpl to v11.5.9

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
org.docx4j:docx4j-JAXB-ReferenceImpl (source)	11.5.0 → 11.5.9

---

Release Notes

plutext/docx4j (org.docx4j:docx4j-JAXB-ReferenceImpl)

v11.5.9

===============

Release date

21 December 2025

Contributors to this release

Jason Harrop

Changes in Version 11.5.9

Import "Strict" docx|pptx|xlsx

PDF via XSL FO output, more font enhancements:

• distribute metrically compatible substitute fonts for Calibri, Cambria, Times New Roman etc
  (Windows users may wish to exclude these) and map them automatically
• update font file ingestion code from Apache Fop
• miscellaneous fixes

Bump deps to address CVEs in documents4j, MOXy deps

v11.5.8

===============

Release date

5 December 2025

Contributors to this release

Jason Harrop

Changes in Version 11.5.8

PDF via XSL FO output:

• discover fonts in jars in /fonts dir (configurable)
• distribute symbol substitute fonts in a docx4j-export-fo-fonts-symbol jar
• Windows: discover user-specific fonts (AppData\Local\Microsoft\Windows\Fonts)
• change default for docx4j.fonts.fop.util.FopConfigUtil.simulate-style to true, to make font config easier

v11.5.7

===============

Release date

17 November 2025

Contributors to this release

Jason Harrop
matthiaso
RangerMak

Changes in Version 11.5.7

PDF via XSL FO output again: symbol/bullet fixes

OpenDoPE: allow use of XPath 2 boolean semantics (org.opendope.conditions.Xpathref.XPathBoolean=cast2), and provide ability to circumvent strict type checking where a boolean is being compared to a string by casting the string (org.docx4j.openpackaging.parts.XmlPart.xpath2.typechecking=cast2). Requires Saxon 8.5 or later.

Other minor fixes, including:

• Setting unmarshaller listener on binder working again with JPMS (ReferenceImpl only)
• diffx namespace handling

Bump dependencies:

commons-codec:commons-codec ......................... 1.19.0 -> 1.20.0
commons-io:commons-io ............................... 2.20.0 -> 2.21.0
org.apache.commons:commons-lang3 .................... 3.18.0 -> 3.20.0
org.apache.pdfbox:fontbox ............................. 3.0.5 -> 3.0.6
org.checkerframework:checker-qual ................... 3.51.0 -> 3.52.0

org.glassfish.jaxb:jaxb-core .......................... 4.0.5 -> 4.0.6 (JAXB Reference Impl)
org.glassfish.jaxb:jaxb-runtime ....................... 4.0.5 -> 4.0.6

com.sun.xml.bind:jaxb-xjc ............................. 4.0.5 -> 4.0.6 (MOXy)

v11.5.6

===============

Release date

6 October 2025

Contributors to this release

benht-nps
Jason Harrop

Changes in Version 11.5.6

Note that if you are processing files > 50MB in size, you will need to set properties docx4j.openpackaging.package.MAX_UNCOMPRESSED_SIZE.unzip.error and docx4j.openpackaging.parts.MAX_BYTES.unzip.error to larger values.

PDF via XSL FO output: map symbol font characters to UTF-8; specify font to use for these on Linux and Windows systems. OSX is a TODO.

Support bullet symbols in HTML output.

Fields - fix StackOverflowError where instruction contains nested fields.

Some build and security tweaks:-

pom.xml in released jars is created with flatten-maven-plugin, now with flattenDependencyMode set to all. This pulls up both direct and transitive dependencies, and uses exclusions, so that in effect there are no transitive dependencies.

Zip bomb defenses: default for docx4j.openpackaging.parts.MAX_BYTES.unzip.error changed from disabled to 50 MB.
Additional settings introduced:

• MAX_UNCOMPRESSED_SIZE for the entire file (defaults to 50MB);
• MAX_RATIO, which triggers on a suspect compression ratio (defaults to 500); only checked when reading from a File (not InputStream).

StaX XMLInputFactory configuration refactored (noted because configuring this is central to secure operation).

Load a non-password protected docx File using Commons Compress as a file (ZipFile), rather than as a ZipArchiveInputStream, since the former can read the ZIP archive's central directory (located at the end of the file).

v11.5.5

===============

Release date

18 September 2025

Contributors to this release

benht-nps
dickyiu2025
tom0709
Jason Harrop

Changes in Version 11.5.5

Bump commons-lang to 3.18.0 addressing https://www.cve.org/CVERecord?id=CVE-2025-48924
Addresses https://github.com/plutext/docx4j/security/dependabot/19 and fixes #​625

Bump dependencies:

com.thoughtworks.qdox:qdox ............................ 1.12 -> 1.12.1
commons-codec:commons-codec ......................... 1.17.0 -> 1.19.0
commons-io:commons-io ............................... 2.16.1 -> 2.20.0
jakarta.xml.bind:jakarta.xml.bind-api ................ 4.0.2 -> 4.0.4
org.apache.commons:commons-compress ................. 1.27.1 -> 1.28.0
org.apache.pdfbox:fontbox ............................ 3.0.3 -> 3.0.5
org.checkerframework:checker-qual ................... 3.42.0 -> 3.51.0
org.slf4j:jcl-over-slf4j ............................ 2.0.13 -> 2.0.17
org.slf4j:slf4j-api ................................. 2.0.13 -> 2.0.17
jakarta.mail:jakarta.mail-api .......... ............. 2.1.0 -> 2.1.3 (MOXy)	

New property org.opendope.conditions.Xpathref.XPathBoolean; Set this to true to convert to boolean using XPath conversion rules.
If false, Java's rules will be used. A key difference is how strings are handled. Be aware that XPath's rules treat any non-empty string
as true! Defaults to false, matching previous behaviour.

HTML output: map symbol font characters to UTF-8 for display in web browser

TOC: handle a TOC which is not in a content control.

docx4j-diffx: update for JPMS

Miscellaneous minor enhancements/bug fixes - see https://github.com/plutext/docx4j/commits/VERSION_11_5_5/

v11.5.4

===============

Release date

17 July 2025

Contributors to this release

Jason Harrop

Changes in Version 11.5.4

Support for Table of Figures (TOC C switch and SEQ field)

Fix various issues (535, 576, 619, 624)

v11.5.3

===============

Release date

7 May 2025

Contributors to this release

Ben Howell-Thomas

Jason Harrop

Nikolay Vorobev

Changes in Version 11.5.3

Migrate to FontBox 3 and use FOP 2.11

OpenDoPE StAX option

Some bug fixes

v11.5.2

===============

Release date

24 January 2025

Contributors to this release

Jason Harrop

Changes in Version 11.5.2

Fixes a StackOverflow error caused by PropertyResolver constructor indirectly calling itself, triggered by documents in which the Normal style's hierarchy includes numbering.

Fix for #​603: getRPrChange in org.docx4j.wml.ParaRPr

v11.5.1

===============

Release date

24 January 2025

Contributors to this release

Jason Harrop

Changes in Version 11.5.2

Fixes a StackOverflow error caused by PropertyResolver constructor indirectly calling itself, triggered by documents in which the Normal style's hierarchy includes numbering.

Fix for #​603: getRPrChange in org.docx4j.wml.ParaRPr

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.