diff --git a/pom.xml b/pom.xml
index b13c831..8264ee3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -139,6 +139,13 @@ cobbzilla-utils is available under the Apache License, version 2: http://www.apa
             <version>1.7</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.apache.poi/poi-ooxml -->
+        <dependency>
+            <groupId>org.apache.poi</groupId>
+            <artifactId>poi-ooxml</artifactId>
+            <version>4.1.1</version>
+        </dependency>
+
         <dependency>
             <groupId>org.apache.ant</groupId>
             <artifactId>ant</artifactId>
diff --git a/src/main/java/org/cobbzilla/util/io/Decompressors.java b/src/main/java/org/cobbzilla/util/io/Decompressors.java
index 8afd8bb..16b7f16 100644
--- a/src/main/java/org/cobbzilla/util/io/Decompressors.java
+++ b/src/main/java/org/cobbzilla/util/io/Decompressors.java
@@ -1,10 +1,14 @@
 package org.cobbzilla.util.io;
 
 import lombok.Cleanup;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+import org.apache.poi.openxml4j.util.ZipSecureFile;
 
-import java.io.*;
-import java.util.zip.ZipEntry;
-import java.util.zip.ZipInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Enumeration;
 
 import static org.cobbzilla.util.daemon.ZillaRuntime.die;
 import static org.cobbzilla.util.io.FileUtil.abs;
@@ -35,7 +39,7 @@ public class Decompressors {
         return isTarball(name) || isZipFile(name);
     }
 
-    private static void extractFile(ZipInputStream in, File outdir, String name) throws IOException {
+    private static void extractFile(InputStream in, File outdir, String name) throws IOException {
         @Cleanup final FileOutputStream out = new FileOutputStream(new File(outdir, name));
         StreamUtil.copyLarge(in, out);
     }
@@ -52,15 +56,16 @@ public class Decompressors {
 
     /***
      * Extract zipfile to outdir with complete directory structure
+     * Uses ZipSecureFile to avoid zip-bombs
      * @param zipfile Input .zip file
      * @param outdir Output directory
      */
     public static void extract(File zipfile, File outdir) throws IOException {
-        @Cleanup final ZipInputStream zin = new ZipInputStream(new FileInputStream(zipfile));
-        ZipEntry entry;
-        String name, dir;
-        while ((entry = zin.getNextEntry()) != null) {
-            name = entry.getName();
+        @Cleanup final ZipSecureFile zip = new ZipSecureFile(zipfile);
+        final Enumeration<ZipArchiveEntry> entries = zip.getEntriesInPhysicalOrder();
+        while (entries.hasMoreElements()) {
+            final ZipArchiveEntry entry = entries.nextElement();
+            final String name = entry.getName();
             if (entry.isDirectory()) {
                 mkdirs(outdir,name);
                 continue;
@@ -71,10 +76,10 @@ public class Decompressors {
              *   /foo/foo.txt
              *   /foo/
              */
-            dir = dirpart(name);
+            final String dir = dirpart(name);
             if (dir != null) mkdirs(outdir,dir);
 
-            extractFile(zin, outdir, name);
+            extractFile(zip.getInputStream(entry), outdir, name);
         }
     }
 }
diff --git a/src/main/java/org/cobbzilla/util/system/OneWayFlag.java b/src/main/java/org/cobbzilla/util/system/OneWayFlag.java
index 6e34f1c..909791d 100644
--- a/src/main/java/org/cobbzilla/util/system/OneWayFlag.java
+++ b/src/main/java/org/cobbzilla/util/system/OneWayFlag.java
@@ -31,7 +31,7 @@ public class OneWayFlag extends AtomicBoolean {
 
     public boolean check () {
         if (get()) return true;
-        final Boolean ok;
+        final boolean ok;
         try {
             ok = check.call();
         } catch (Exception e) {