Update dependency io.quarkus.qute:qute-core to v3.36.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
io.quarkus.qute:qute-core	3.35.3 → 3.36.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

quarkusio/quarkus (io.quarkus.qute:qute-core)

v3.36.2

Compare Source

Complete changelog

• #​34285 - Using Dev ui "breaks" a lambda
• #​40420 - FrameworkRouter not initialized when access-log is enabled with custom non-application-root-path
• #​54080 - Don't use ordered execution for @RunOnVertxContext
• #​54438 - Allow Dev UI to work with Amazon Lambda HTTP extensions in dev mode
• #​54546 - Bump kafka.version from 4.2.0 to 4.2.1
• #​54597 - Fix null Vert.x log messages showing as NULL in native mode
• #​54604 - With quarkus.thread-pool.queue-size set, async health work can be silently dropped
• #​54609 - Don't ignore Future in Smallrye Health
• #​54621 - Bump the hibernate group with 10 updates
• #​54639 - Memory Leak with Quarkus Rest Client in a Reactive pipeline
• #​54646 - Panache: PanacheRepositoryBase.findByIds(List<?> ids) returns a list of instead of
• #​54647 - Fix return type of PanacheRepositoryBase
• #​54649 - Bump to Vert.x 4.5.28 and Netty 4.1.135.Final
• #​54659 - Fix memory leak in REST Client reactive pipelines
• #​54669 - Fix startup NPE when the access log is enabled without a framework router
• #​54673 - add config properties section to cyclonedx guide
• #​54674 - cyclonedx sbom missing serialnumber
• #​54675 - Add cyclone configuration to docs
• #​54678 - Missing %l in the access log documentation
• #​54689 - Basic auth may return 401 with older clients when realm is unset
• #​54697 - Document Basic authentication realm compatibility
• #​54700 - Include serial numbers into generated SBOMs
• #​54705 - Bump quarkiverse-parent from 20 to 22
• #​54708 - Updates Infinispan to 16.0.13
• #​54709 - Add support for --no-wrapper on CreateProjectMojo
• #​54711 - Bump jacoco.version from 0.8.14 to 0.8.15
• #​54713 - Add option to Maven plugin to forget wrapper addition
• #​54732 - Dev-UI: Update German translation for 'Read me' to 'Lies mich'

v3.36.1

Compare Source

Complete changelog

• #​52741 - quarkus-amazon-lambda-rest does not correctly include a Jandex
• #​53197 - Smallrye config and microprofile config version conflict causes build failure with java modules
• #​53613 - Quarkus build with vertx-hazelcast fails after upgrade to 3.33.1
• #​53785 - Multi threaded maven uber jar builds on windows faill with java.nio.file.ClosedFileSystemException
• #​53808 - Wrap shorthand admonition blocks in ==== delimiters
• #​54001 - Gradle quarkusRun task starts in TEST mode
• #​54095 - Gradle config from one module's quarkusAppPartsBuild leaks into another module in 3.35.x
• #​54144 - Open archive path tree interrupt workaround
• #​54229 - Signals: add configurable concurrency limit
• #​54270 - Enable RAG generation during release builds
• #​54273 - Keycloak exchange code for tokens fails in devmode if clientId contains an underscore
• #​54281 - quarkus.rest-client-oidc-filter.refresh-on-unauthorized not respected with multiple @RegisterProvider annotations
• #​54286 - Signals: introduce configurable concurrency limiter
• #​54313 - Fix Hibernate ORM Dev UI localization and clear HQL input on submit
• #​54320 - Use Mode.RUN for the Gradle quarkusRun task to fix indexing crash
• #​54340 - Fix Keycloak DEV UI code exchange for client IDs with underscores
• #​54342 - @ServerExceptionMapper with generic base class drops other exception mappers at runtime
• #​54343 - Fix JSON logging excluded keys config ignoring nested fields
• #​54346 - Fix @ServerExceptionMapper bridge method handling for generic types
• #​54357 - Fix typo it's is -> it is
• #​54382 - Bump the hibernate group with 11 updates
• #​54389 - Updates to Infinispan 16.0.12.Final
• #​54413 - Update documentation of ReflectiveClassConditionBuildItem
• #​54423 - Fix "Kafka OAuthBearer authentication fails in native mode" again
• #​54426 - Injecting test security identity on IO thread is blocking operation
• #​54427 - Fix injecting @TestSecurity identity with @RunOnVertxContext
• #​54428 - Disambiguate config doc anchors for build-time properties
• #​54432 - Fix platform BOM and platform metadata override ordering
• #​54436 - Fix: quarkus.rest-client-oidc-filter.refresh-on-unauthorized not respected with multiple @RegisterProvider annotations
• #​54443 - Bump the hibernate group across 1 directory with 16 updates
• #​54447 - Reset stale Quarkus system properties on reused Gradle worker JVMs
• #​54455 - [Kafka Dev UI] Topic message timestamp displayed one month behind actual value
• #​54467 - Bump proposed Maven version to 3.9.16
• #​54468 - Signals: Receivers - resolve lambda inference ambiguity
• #​54470 - Bump org.eclipse.parsson:parsson from 1.1.7 to 1.1.9
• #​54473 - Fix Kafka Dev UI message timestamp displaying one month earlier
• #​54480 - Lambda fails serialization when returning Record, succeeds when swapped to Object
• #​54482 - REST Client + Micrometer: duplicate gauge registration warning for http.client.active.connections on first invocation
• #​54484 - Properly support java.lang.Record as Lambda return type
• #​54496 - Avoid duplicate gauge warnings for REST Client
• #​54497 - Agroal invalid connection metric has the wrong description
• #​54499 - Fix wrong description for agroal.invalid.count metric
• #​54505 - Bump Maven wrapper to 3.9.16
• #​54520 - Add maven distribution sha256 validation
• #​54522 - Dev UI Workspace - the scroll is not working anymore
• #​54527 - Avoid transfer progress in Quarkus Update commands
• #​54531 - Remove superfluous code in dev ui guide
• #​54541 - Raggedy alignment on dev UI for new actions links
• #​54543 - Undeprecate AbstractQuarkusExtensionTest and make it abstract
• #​54544 - Bump version.surefire.plugin from 3.5.4 to 3.5.6
• #​54545 - Bump jaxb-runtime.version from 4.0.8 to 4.0.9
• #​54553 - Finalize Maven 3.9.16 update
• #​54555 - Fix Dev UI Workspace scroll not working
• #​54556 - Align Dev UI action links with regular extension links
• #​54558 - DataSource leaks after upgrading to Quarkus 3.36.0
• #​54560 - Signals: document programmatic Signal creation via Signal.create()
• #​54573 - Bump jakarta.json.bind:jakarta.json.bind-api from 3.0.1 to 3.0.2
• #​54574 - Bump com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.21.4
• #​54577 - Multiple extensions registered a feature of the same name: hibernate-orm-panache
• #​54582 - Improve French translation of the Dev UI
• #​54587 - [3.36] Fix duplicate feature name when hibernate-panache-next and hibernate-orm-panache coexist
• #​54588 - Do not bytecode record the Vert.x service instances
• #​54595 - Index additional classes in AWS Lambda extensions
• #​54599 - Align MicroProfile Config with SmallRye Config
• #​54606 - Bump Agroal to 3.2

v3.36.0

Compare Source

Complete changelog

• #​53533 - Complains about missing <extensions>true</extensions> for newly created extension
• #​54119 - Add extension-rag module to generate RAG vector embeddings from core documentation
• #​54133 - Bump kubernetes-client-bom from 7.6.1 to 7.7.0
• #​54186 - Signals: improvements
• #​54196 - Bump Gradle from 9.3.1 to 9.5.1
• #​54202 - Bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3
• #​54209 - Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18
• #​54217 - Reflection free serializer improvements
• #​54220 - Bump Microsoft SQL Server JDBC driver to 13.4.0
• #​54221 - Support for multiple SunPKCS11 configurations
• #​54223 - Add extensions=true to generated extension codestart POMs for external extensions
• #​54227 - Exclude transitive dependencies from narayana-jta
• #​54228 - Add Spring's entities among class placeholders to be unwrapped
• #​54239 - Add preauthorized_code as OidcClient grant type enum
• #​54241 - Bump Vineflower to 1.12.0
• #​54243 - Agroal 3.1 Causes Connections to Use DB Default Transaction Isolation
• #​54248 - Signals: remove flaky BlockingEmissionFailureTest
• #​54258 - Using copyRecursive instead of registering configuration for QuarkusComponentVariants
• #​54259 - Ensure LauncherProvider always use current Config
• #​54262 - Bump Agroal to 3.1.2
• #​54300 - Bump com.github.ben-manes.caffeine:caffeine from 3.2.3 to 3.2.4

v3.35.4

Compare Source

Complete changelog

• #​51109 - Smallrye OpenAPI generation for SSE with Multi return type generates array type
• #​53479 - x-smallrye-profile Profile filtering not working properly
• #​53798 - Update remaining actions to pinned shas
• #​53844 - Bump smallrye-open-api.version from 4.3.0 to 4.3.1
• #​53916 - Add support for more Jackson annotations in generated reflection-free serializers
• #​53944 - Bump the hibernate group with 9 updates
• #​53946 - [3.35.1] Hibernate IllegalArgumentException is not a subtype
• #​53964 - StackOverflowError in Hibernate metadata processing since 3.35 for generic AttributeConverter
• #​54060 - Allow WebDependencyJarBuildItem to carry import mappings directly
• #​54085 - Improve Micrometer test resilience
• #​54091 - mTLS auth mechanism throws NPE when proxy "forwarded" header indicate HTTPS in the HTTP request
• #​54093 - Using reflection-free serializers breaks in 3.35
• #​54127 - quarkus-opentelemetry native image on JDK 25: IllegalArgumentException: Receiver type ManagementSupport$$Lambda is not an instance of com.sun.management.OperatingSystemMXBean at runtime
• #​54140 - Fix CNFE for CpuMethods otel class
• #​54146 - SunPKCS provider is not available at runtime
• #​54147 - Apply security provider specific configuration at runtime
• #​54148 - Bump Narayana from 7.3.3.Final to 7.3.4.Final
• #​54150 - Bump the hibernate group across 1 directory with 14 updates
• #​54188 - Update JAXB to 4.0.8
• #​54189 - Generate reflection-free Jackson serializers only for public classes
• #​54199 - docs: replace Markdown xml fence with AsciiDoc source block
• #​54208 - Bump smallrye-open-api from 4.3.1 to 4.3.3
• #​54242 - Prevent NPE in mTLS auth mech when communication with a trusted proxy happens over HTTP protocol but headers indicate HTTPS
• #​54264 - Fix NPE in RemoteUserAttribute with anonymous identity
• #​54310 - Prometheus compression header fix

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[github-actions]

Mend Scan Results

Status: ⚠️ Findings detected

⚠️ SCA findings detected

⚠️ SAST findings detected

SCA scan output

b-annotations-2.11.3.jar
			|-- jackson-core-2.19.2.jar [1 HIGH]
	|-- json-patch-1.9.jar
		|-- jackson-coreutils-1.6.jar
			|-- guava-28.1-jre.jar [1 MEDIUM, 1 LOW]
	|-- guava-28.1-jre.jar [1 MEDIUM, 1 LOW]
|-- mapdb-3.1.0.jar
	|-- guava-28.1-jre.jar [1 MEDIUM, 1 LOW]
	|-- lz4-1.3.0.jar [1 CRITICAL, 1 HIGH]
pnc-3.5.0-SNAPSHOT.jar
|-- auth-3.5.0-SNAPSHOT.jar
	|-- jackson-core-2.19.2.jar [1 HIGH]
	|-- keycloak-installed-adapter-25.0.3.jar
		|-- jackson-core-2.19.2.jar [1 HIGH]
		|-- undertow-core-2.2.24.Final.jar [1 CRITICAL, 11 HIGH, 3 MEDIUM]
			|-- xnio-api-3.8.7.Final.jar [2 HIGH]
			|-- xnio-nio-3.8.7.Final.jar
				|-- xnio-api-3.8.7.Final.jar [2 HIGH]
		|-- bcprov-jdk18on-1.74.jar [2 CRITICAL, 3 HIGH, 4 MEDIUM]
		|-- keycloak-adapter-core-25.0.3.jar [1 MEDIUM]
			|-- jackson-core-2.19.2.jar [1 HIGH]
			|-- bcprov-jdk18on-1.74.jar [2 CRITICAL, 3 HIGH, 4 MEDIUM]
			|-- keycloak-core-25.0.3.jar [1 HIGH, 3 MEDIUM, 2 LOW]
			|-- keycloak-crypto-default-25.0.3.jar
				|-- bcpkix-jdk18on-1.74.jar [2 MEDIUM]
					|-- bcprov-jdk18on-1.74.jar [2 CRITICAL, 3 HIGH, 4 MEDIUM]
					|-- bcutil-jdk18on-1.74.jar
						|-- bcprov-jdk18on-1.74.jar [2 CRITICAL, 3 HIGH, 4 MEDIUM]
				|-- bcprov-jdk18on-1.74.jar [2 CRITICAL, 3 HIGH, 4 MEDIUM]
				|-- keycloak-core-25.0.3.jar [1 HIGH, 3 MEDIUM, 2 LOW]
				|-- keycloak-server-spi-private-25.0.3.jar [1 HIGH, 4 MEDIUM, 1 LOW]
					|-- keycloak-core-25.0.3.jar [1 HIGH, 3 MEDIUM, 2 LOW]
				|-- keycloak-server-spi-25.0.3.jar
					|-- keycloak-core-25.0.3.jar [1 HIGH, 3 MEDIUM, 2 LOW]
		|-- keycloak-adapter-spi-25.0.3.jar
			|-- bcprov-jdk18on-1.74.jar [2 CRITICAL, 3 HIGH, 4 MEDIUM]
		|-- keycloak-core-25.0.3.jar [1 HIGH, 3 MEDIUM, 2 LOW]
			|-- jackson-core-2.19.2.jar [1 HIGH]
			|-- keycloak-common-25.0.3.jar [2 MEDIUM]
|-- common-3.5.0-SNAPSHOT.jar
	|-- jackson-dataformat-yaml-2.19.2.jar
		|-- jackson-core-2.19.2.jar [1 HIGH]
	|-- jackson-datatype-jsr310-2.19.2.jar
		|-- jackson-core-2.19.2.jar [1 HIGH]
	|-- pom-manipulation-common-lite-5.3.jar
		|-- jackson-core-2.19.2.jar [1 HIGH]
|-- config-3.5.0-SNAPSHOT.jar
	|-- jackson-core-2.19.2.jar [1 HIGH]
	|-- jackson-databind-2.19.2.jar
		|-- jackson-core-2.19.2.jar [1 HIGH]
|-- opentelemetry-ext-cli-java-2.0.0.jar
	|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
	|-- opentelemetry-exporter-otlp-1.51.0.jar
		|-- opentelemetry-exporter-sender-okhttp-1.51.0.jar
			|-- opentelemetry-exporter-common-1.51.0.jar
				|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
		|-- opentelemetry-sdk-logs-1.51.0.jar
			|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
		|-- opentelemetry-sdk-metrics-1.51.0.jar
			|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
		|-- opentelemetry-sdk-trace-1.51.0.jar
			|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
	|-- opentelemetry-sdk-1.51.0.jar
		|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
		|-- opentelemetry-sdk-common-1.51.0.jar
			|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
	|-- opentelemetry-semconv-1.29.0-alpha.jar
		|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
|-- rest-client-3.5.0.jar
	|-- jackson-datatype-jdk8-2.12.6.redhat-00001.jar
		|-- jackson-core-2.19.2.jar [1 HIGH]
	|-- vertx-core-3.9.14.jar [1 MEDIUM]
		|-- jackson-core-2.19.2.jar [1 HIGH]
		|-- netty-buffer-4.1.84.Final.jar
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
		|-- netty-codec-http2-4.1.84.Final.jar [4 HIGH, 4 MEDIUM]
			|-- netty-codec-http-4.1.84.Final.jar [3 HIGH, 10 MEDIUM]
			|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-handler-4.1.84.Final.jar [3 HIGH, 1 MEDIUM]
		|-- netty-codec-http-4.1.84.Final.jar [3 HIGH, 10 MEDIUM]
			|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
				|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-handler-4.1.84.Final.jar [3 HIGH, 1 MEDIUM]
		|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
		|-- netty-handler-proxy-4.1.84.Final.jar [1 MEDIUM]
			|-- netty-codec-http-4.1.84.Final.jar [3 HIGH, 10 MEDIUM]
			|-- netty-codec-socks-4.1.84.Final.jar
				|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
				|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-handler-4.1.84.Final.jar [3 HIGH, 1 MEDIUM]
		|-- netty-handler-4.1.84.Final.jar [3 HIGH, 1 MEDIUM]
			|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-transport-native-unix-common-4.1.84.Final.jar
				|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
		|-- netty-resolver-dns-4.1.84.Final.jar [2 HIGH, 1 MEDIUM]
			|-- netty-codec-dns-4.1.84.Final.jar [1 HIGH]
				|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
				|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-codec-4.1.84.Final.jar [1 HIGH, 1 MEDIUM]
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
			|-- netty-handler-4.1.84.Final.jar [3 HIGH, 1 MEDIUM]
		|-- netty-resolver-4.1.84.Final.jar
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
		|-- netty-transport-4.1.84.Final.jar
			|-- netty-common-4.1.84.Final.jar [2 MEDIUM]
	|-- common-3.5.0.jar
		|-- opentelemetry-instrumentation-annotations-2.24.0.jar
			|-- opentelemetry-api-1.51.0.jar [1 MEDIUM]
	|-- dto-3.5.0-patch-builders.jar
		|-- jsoup-1.22.2.jar
			|-- netty-codec-http-4.1.84.Final.jar [3 HIGH, 10 MEDIUM]
			|-- netty-handler-4.1.84.Final.jar [3 HIGH, 1 MEDIUM]
	|-- rest-api-3.5.0-java-client.jar
		|-- undertow-core-2.2.24.Final.jar [1 CRITICAL, 11 HIGH, 3 MEDIUM]


No Policy violations were detected

Project 'bacon' was updated, for more information, visit the Mend platform: https://ibmets.whitesourcesoftware.com/app/orgs/Enterprise%20Applications/applications/summary?project=f85d9f1a-b4b0-47cd-8126-d6bf70df9ffc
Or the Core UI: https://ibmets.whitesourcesoftware.com/Wss/WSS.html#!project;token=6d0c058f67e84d0886f851d7173c47c7ca091a6fdb1242cdbb51128e57035c41

Mend AI scan succeeded.

Support Token: 222227cc19aee408eaea67fd6bcd956621781546097072

SAST scan output

warning: 'KeycloakClientException' method could be abused to reveal sensitive internal information. (pig/src/main/java/org/jboss/pnc/bacon/pig/impl/addons/camel/TreeParser.java:246)
warning: 'sha1' method of 'hashlib' uses a non-recommended hash algorithm. (bacon_install.py:188)

Full logs and artifacts