Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
dependencies
Describe the bug
Hello,
Comparing the contents of lib/lib/deployment between Keycloak 26.1.5 and Keycloak 26.2.0, I see a few more JAR files:
--- deployment-list-26.1.5.txt 2025-04-25 14:57:26.998465900 +0000
+++ deployment-list-26.2.0.txt 2025-04-25 14:57:18.444701000 +0000
@@ -5,6 +5,7 @@
lib/lib/deployment/io.quarkus.http.quarkus-http-http-core
lib/lib/deployment/io.quarkus.http.quarkus-http-servlet
lib/lib/deployment/io.quarkus.quarkus-agroal-deployment
+lib/lib/deployment/io.quarkus.quarkus-agroal-dev
lib/lib/deployment/io.quarkus.quarkus-agroal-spi
lib/lib/deployment/io.quarkus.quarkus-arc-deployment
lib/lib/deployment/io.quarkus.quarkus-arc-test-supplement
@@ -17,6 +18,10 @@
lib/lib/deployment/io.quarkus.quarkus-credentials-deployment
lib/lib/deployment/io.quarkus.quarkus-datasource-deployment
lib/lib/deployment/io.quarkus.quarkus-datasource-deployment-spi
+lib/lib/deployment/io.quarkus.quarkus-devtools-base-codestarts
+lib/lib/deployment/io.quarkus.quarkus-devtools-common
+lib/lib/deployment/io.quarkus.quarkus-devtools-message-writer
+lib/lib/deployment/io.quarkus.quarkus-devtools-registry-client
lib/lib/deployment/io.quarkus.quarkus-devtools-utilities
lib/lib/deployment/io.quarkus.quarkus-grpc-common-deployment
lib/lib/deployment/io.quarkus.quarkus-hibernate-orm-deployment
@@ -70,13 +75,17 @@
lib/lib/deployment/io.quarkus.qute.qute-core
lib/lib/deployment/io.quarkus.resteasy.reactive.resteasy-reactive-common-processor
lib/lib/deployment/io.quarkus.resteasy.reactive.resteasy-reactive-processor
+lib/lib/deployment/io.smallrye.common.smallrye-common-version
lib/lib/deployment/io.smallrye.jandex
lib/lib/deployment/io.smallrye.smallrye-health-ui
lib/lib/deployment/io.smallrye.smallrye-open-api-core
+lib/lib/deployment/io.smallrye.smallrye-open-api-model
lib/lib/deployment/jakarta.servlet.jakarta.servlet-api
lib/lib/deployment/jakarta.validation.jakarta.validation-api
lib/lib/deployment/org.aesh.aesh
lib/lib/deployment/org.aesh.readline-2.6.jar
+lib/lib/deployment/org.apache.commons.commons-compress
+lib/lib/deployment/org.codejive.java-properties
lib/lib/deployment/org.eclipse.microprofile.openapi.microprofile-openapi-api
lib/lib/deployment/org.fusesource.jansi.jansi
lib/lib/deployment/org.graalvm.sdk.nativeimageMost of them have devtools or dev in their names, so this looks like a mistake.
It seems #38665 tried to remove some dependencies, but maybe it did not go far enough.
Is it expected to have all these new dependencies in the Keycloak release?
Thanks in advance
Version
26.2.0
Regression
- The issue is a regression
Expected behavior
No extra dev dependencies compared to previous releases
Actual behavior
See description
How to Reproduce?
Look at the contents of lib/lib/deployment in the Keycloak release tarballs.
Anything else?
Reporting this only because our SBOM analyser is now reporting gradle-wrapper, which we don't usually expect in production packages.
It was found inside one of these new JAR files:
io.quarkus.quarkus-devtools-base-codestarts-3.20.0.jar:codestarts/quarkus/tooling/gradle-wrapper/base/gradle/wrapper/gradle-wrapper.jar
So looking for confirmation that this is all as expected from Keycloak maintainers point of view.