Remove log4j 1.2.17 dependency for good
Related to #579 (closed) and #783 (closed).
This was needed due to the amount of questions on the subject thanks for Log4Shell, CVE-2019-17571 and CVE-2021-4104.
It seems that none of the components that were previously deemed to depend on Log4j 1.2.x actually have a hard non-optional runtime dependency on it.
POI
For quite a while we were under the impression that POI 3.15.0 which we are using at the moment needed log4j. This turned out not to be true. The dependency is optional.
But, if we wanted to upgrade POI to 5.x, we would need to go to at least 5.2.x for a patched version of log4j2. Note that POI only depends on the Log4j2 API, not Log4j2 Core which had the recent vulnerabilities (CVE-2021-44228 etc.). Also, modern versions of POI depend on Batik 1.14 which would also need updating at that point (currently 1.12).