Description

Not only to reduce the distribution size but also to reduce the vulnerability surface, we should review the dependencies included in the distribution and keep only those strictly necessary to runtime and re-augmentation.

As the server is a mutable jar, these additional dependencies are a trade-off as part of continuous testing support from Quarkus. However, in theory, these dependencies won't actually be loaded in the runtime application.

Discussion

No response

Motivation

Not only to reduce the distribution size but also to reduce the vulnerability surface, we should review the dependencies included in the distribution and keep only those strictly necessary to runtime and re-augmentation.

Details

Looks like the best approach should be to exclude these dependencies through Maven (instead of using Quarkus properties such as quarkus.class-loading.removed-artifacts).

The proposal is to have a specific profile in the root pom that explicitly excludes the unwanted dependencies. The trade-off here is that we need to make sure the distribution is built using this profile.