@Pepo48 Thanks for the PR.

Part of the effort around using Quarkus BOM is to stop specifying versions of the dependencies that are already present in the BOM. I think there are lots of them in the root POM. Do you plan to address it in this PR, or will it be a follow-up? Either way works for me. We need to be careful now about not doing anything too dangerous now, just days before release.

I am working on it in a separate testing branch just for now, the intersection is quite big (at least based on my analysis from two days ago it's not just couple of dependencies). I'm testing it continuously, I didn't want to clutter this PR with unnecessary force pushes in order to re-run the CI every single time.

And yes, my original intention was to keep it separate just because of the size. But I can easily merge it, it doesn't matter to me much. I will finish the rest of the cleanup tomorrow.

What was removed from the parent BOM:

aesh - bumped from 2.4 to 2.7

bc-fips
bctls-fips

commons-io
commons-lang3

hibernate-core
httpcore
httpmime

jackson-annotations
jackson-corex
jackson-databindx
jackson-dataformat-cbor
jackson-datatype-jdk8
jackson-jaxrs-base
jackson-jaxrs-json-provider
jackson-module-jaxb-annotations

jakarta.activation-api
jakarta.persistence-api
jakarta.servlet-api
jakarta.transaction-api
jakarta.ws.rs-api
jakarta.xml.bind-api

javaparser-core - bumped from 3.24.2 to 3.25.2
javax.annotation-api

jboss-logging-annotations
jboss-logging-processor
jboss-logging

jna - bumped from 4.5.1 to 5.8.0
microprofile-metrics-api - bumped from 3.0.1 to 4.0.1
microprofile-openapi-api
slf4j-api

What can be pottentially removed (and for now I left untouched):

bcpkix-jdk15on - bcpkix-jdk18on is available in the platform BOM
bcprov-jdk15on - bcprov-jdk18on is available in the platform BOM

guava - we currently use a newer version compared to the one available in the platform BOM - 31.1.1 32.0.0 compared to 32.0.1
infinispan - we currently use a newer version compared to the one available in the platform BOM - 14.0.9 compared to 14.0.10

h2- we use the same version as the BOM provides, but based on the h2.version, the jdbc driver version is determined too, for now I leave the h2 dependency untouched in order to prevent a version mismatch in the future. The same seems to apply to mysql-connector-java.

Things I would like to discuss before I address them:

• should we explicitely exclude all the keycloak dependencies from the platform BOM or we don't care since everything is overriden anyway?
• can dependencies with excluded transitive dependencies be removed as well? do we care about the exclusions on the parent POM level at this point (see e.g. liquibase-core or resteasy dependencies)
• what about the dependencies that have a scope specified on the parent POM level? (see e.g protostream-processor)

Edit: I'm already aware about the test failures.

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.model.session.SessionTimeoutsTest#testOfflineUserClientMaxLifespanSmallerThanSession

Keycloak CI - Store Model Tests

java.lang.AssertionError: expected null, but was:<org.keycloak.models.sessions.infinispan.AuthenticatedClientSessionAdapter@27ff47e8>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotNull(Assert.java:756)
	at org.junit.Assert.assertNull(Assert.java:738)
	at org.junit.Assert.assertNull(Assert.java:748)
...

Report flaky test

jFTR, #21352 will (most likely*) affect the dependency list above in a following way:

bctls-fips - bumped from 1.0.14.1 to 1.0.16
commons-io - bumped from 2.11.0 to 2.13
javaparser-core - bumped from 3.24.2 to 3.25.3

*I compared it with 3.2.0.CR1, because the final platform BOMs were not released just yet.

This is currently waiting for Quarkus Platform BOMs 3.2.0.Final to be released.

This was superseded by #21426 (@Pepo48 is on PTO)