The specification text in question can be seen here:

If a managed bean has a non-static public field, it must have scope @Dependent. If a managed bean with a non-static public field declares any scope other than @Dependent, the container automatically detects the problem and treats it as a definition error.

From my understanding, this is for prevention of a user error where you could try to access a field directly on a proxy instance. And since (client) proxies are stateless, the value of this field if undefined.

This makes sense but it is incomplete for it only allows these fields on @Dependent beans but @Singleton would be perfectly fine as well. I suggest we change the wording to only forbid these fields on normal scoped beans, i.e. all beans that require client proxy.

As a side note, this check only forbids public fields but you can theoretically encounter the same issue with protected or pack private fields. However forbidding those is too restrictive, I just wanted to mention it because I am not totally clear on why we do this check in the first place 🤷

Cc @mkouba @Ladicek