Open ppalaga opened 3 months ago
We need to be a bit careful with this. Especially given this recent issue:
https://issues.apache.org/jira/browse/CAMEL-21232
What's the problem with CQ managing these dependencies? I have more confidence with things as they are now since we know Camel was built and tested with identical versions.
What's the problem with CQ managing these dependencies?
If we manage them in QCXF only, then they can hardly get out of sync between CQ and QCXF (CQ BOM imports QCXF BOM). If there is a problem with certain version in CQ, we know, we have to change and test also in QCXF.
The original motivation for this move was that Platform SBOMs for CQ and QCXF had different versions of httpcore5 - which is definitely not good for composability of QCXF and CQ.
https://issues.apache.org/jira/browse/CAMEL-21232
Quarkus CXF is intentionally still on httpcore5 5.2.x to be in sync with Camel 4.8.0 - see the comment in https://github.com/quarkiverse/quarkus-cxf/pull/1502#issuecomment-2348878387
A note to myself to do it once QCXF is upgraded to 3.15.0 and 3.8.7 in CQ main and 3.8.x respectively.
Related to https://github.com/quarkiverse/quarkus-cxf/pull/1493 and https://github.com/quarkiverse/quarkus-cxf/pull/1494