Skip to content

Commit 92c5b04

Browse files
authored
Native build issues (finos#2619)
* fix(calm-hub): pin MCP server to 1.12.1 to restore native image builds quarkus-mcp-server-bom:3.34.7 (added in PR finos#2608) resolves all MCP artifacts to 1.10.5, a downgrade from the previously pinned 1.12.0. Version 1.10.5 predates the native-image fix added in 1.12.0 (quarkiverse/quarkus-mcp-server#684/finos#685: fix elicitation and sampling in native image), causing both native CI workflows to fail at Quarkus augmentation. Add explicit dependencyManagement overrides in calm-hub/pom.xml pinning all five MCP runtime and deployment artifacts to 1.12.1, overriding the 1.10.5 resolved by the platform BOM. Verified: both build-native-image.sh --no-docker and build-readonly-native-image.sh --no-docker produce BUILD SUCCESS with a 220MB native binary. * fix(calm-hub): remove Netty version override to fix native image on x86_64 Netty 4.1.135.Final (overridden in PR finos#2608) registers io.netty.handler.codec.compression.BrotliDecoder for link-at-build-time in netty-codec's native-image config. On linux/x86_64 (CI), brotli4j native libs are not on the classpath, causing a fatal unresolved method error during native image analysis. Quarkus 3.34.7 already manages Netty at 4.1.132.Final, which patches CVE-2025-58057, CVE-2026-33870, and CVE-2026-33871 (all affecting <=4.1.131.Final). The 4.1.135.Final override is unnecessary and breaks native image compilation on x86_64 CI runners. * fix(calm-hub): remove duplicated MCP dependencyManagement block The five io.quarkiverse.mcp version overrides (and their comment) were accidentally duplicated in the dependencyManagement section. Remove the second identical copy, leaving one set pinning all MCP artifacts to 1.12.1.
1 parent c75e5a1 commit 92c5b04

1 file changed

Lines changed: 7 additions & 12 deletions

File tree

calm-hub/pom.xml

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -20,20 +20,15 @@
2020
<surefire-plugin.version>3.5.5</surefire-plugin.version>
2121
</properties>
2222

23-
<!-- Override Netty components to a secure version (keep all modules aligned) -->
23+
<!-- dependencyManagement overrides for native-image compatibility.
24+
Quarkus 3.34.7 manages Netty at 4.1.132.Final which already patches
25+
CVE-2025-58057 / CVE-2026-33870 / CVE-2026-33871 (affecting <=4.1.131.Final)
26+
and is native-image compatible. Do NOT override netty-bom here: Netty
27+
4.1.133+ changed netty-codec native-image config to register BrotliDecoder
28+
for link-at-build-time, which requires brotli4j on the classpath, a
29+
dependency we do not include. Let Quarkus manage Netty at 4.1.132.Final. -->
2430
<dependencyManagement>
2531
<dependencies>
26-
<dependency>
27-
<groupId>io.netty</groupId>
28-
<artifactId>netty-bom</artifactId>
29-
<!-- Force patched Netty 4.1 version to mitigate CVE-2025-58057 and
30-
CVE-2026-33870/CVE-2026-33871 (affecting <=4.1.131.Final).
31-
Must stay on 4.1.x — Quarkus 3.x applies a CleanerJava9 bytecode
32-
transformation incompatible with Netty 4.2 (see quarkusio/quarkus#53309). -->
33-
<version>4.1.135.Final</version>
34-
<type>pom</type>
35-
<scope>import</scope>
36-
</dependency>
3732
<!-- Override MCP server to a version with native-image fixes.
3833
quarkus-mcp-server-bom:3.34.7 (from root pom) resolves all MCP
3934
artifacts to 1.10.5, which predates the native-image fixes added

0 commit comments

Comments
 (0)