[Snyk] Fix for 1 vulnerabilities

[ISGA]

User description

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-IOUNDERTOW-15166617	124	io.undertow:undertow-servlet: 2.3.2.Final -> 2.3.21.Final org.wildfly:wildfly-undertow: 29.0.0.Final -> 39.0.0.Final Major version upgrade No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

---

CodeAnt-AI Description

Upgrade Undertow and WildFly artifacts to fix a high-severity resource allocation vulnerability

What Changed

• Replaced Undertow Jakarta from 2.3.2.Final to 2.3.21.Final, addressing a high-severity "Allocation of Resources Without Limits" vulnerability
• Set WildFly artifact version to 39.0.0.Final in adapter profiles so builds use the newer WildFly runtime artifacts
• Removed an empty contributors element (formatting-only change with no runtime effect)

Impact

✅ Fewer high-severity vulnerabilities
✅ Safer request handling under load
✅ Builds use newer WildFly runtime artifacts

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Incomplete remediation A new property undertow-jakarta.version was added but most Undertow dependencies in this POM still reference ${undertow.version} which expands to the legacy undertow-legacy.version (2.2.24.Final). The vulnerability Snyk reported targets io.undertow:undertow-servlet — verify the actual artifact version used across modules (and update dependency declarations or the ${undertow.version} value) to ensure the vulnerability is actually fixed. Version inconsistency risk The profiles eap8-adapters and upstream-adapters now hardcode <wildfly.version>39.0.0.Final</wildfly.version>. The top-level upstream.wildfly.version remains 29.0.0.Final, so these overrides can create inconsistent WildFly versioning across the build and downstream modules. Confirm the intended alignment and verify no modules still expect the older wildfly version.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	maven/​io.undertow/​undertow-servlet@​2.3.21.Final
	npm/​vite-plugin-checker@​0.8.0

View full report

[codeant-ai]

Suggestion: In the eap8-adapters profile, wildfly.version is now hard-coded to 39.0.0.Final while ee.maven.groupId is org.jboss.eap and ee.maven.version is ${eap8.version} (e.g. 8.0.0.GA-redhat-00007), so dependencies like org.jboss.eap:wildfly-ee-galleon-pack:${wildfly.version} will point to a likely non-existent GAV and cause resolution/build failures when this profile is used; wildfly.version should remain aligned with the EAP version. [logic error]

Severity Level: Critical 🚨

- ❌ EAP8 adapter build fails resolving wildfly-ee-galleon-pack.
- ⚠️ EAP8 profile unusable for downstream adapter testing.

Suggested change

	<wildfly.version>39.0.0.Final</wildfly.version>
	<wildfly.version>${eap8.version}</wildfly.version>

Steps of Reproduction ✅

1. From the project root (`/workspace/keycloak`), run Maven with the EAP8 adapters profile
enabled, for example: `mvn -Peap8-adapters dependency:tree`.

2. Maven activates the `eap8-adapters` profile defined in `pom.xml:1593-1607`, setting
`ee.maven.groupId=org.jboss.eap`, `ee.maven.version=${eap8.version}`
(`8.0.0.GA-redhat-00007`), and `wildfly.version=39.0.0.Final`.

3. During dependency resolution, Maven processes the dependency management entry at
`pom.xml:746-748`:

   `<groupId>${ee.maven.groupId}</groupId>`,
   `<artifactId>wildfly-ee-galleon-pack</artifactId>`,
   `<version>${wildfly.version}</version>`, which evaluates to
   `org.jboss.eap:wildfly-ee-galleon-pack:39.0.0.Final`.

4. Maven attempts to resolve `org.jboss.eap:wildfly-ee-galleon-pack:39.0.0.Final` (and
related EAP artifacts using `${wildfly.version}`) and fails because this version does not
correspond to the configured EAP 8 GAVs, causing dependency resolution/build failure
whenever the `eap8-adapters` profile is used.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pom.xml
**Line:** 1603:1603
**Comment:**
	*Logic Error: In the `eap8-adapters` profile, `wildfly.version` is now hard-coded to `39.0.0.Final` while `ee.maven.groupId` is `org.jboss.eap` and `ee.maven.version` is `${eap8.version}` (e.g. `8.0.0.GA-redhat-00007`), so dependencies like `org.jboss.eap:wildfly-ee-galleon-pack:${wildfly.version}` will point to a likely non-existent GAV and cause resolution/build failures when this profile is used; `wildfly.version` should remain aligned with the EAP version.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to 70b6c04.

Security Overview

• 🔎 Scanned files: 1 changed file(s)
• 🔗 Scan Link: https://zeropath.com/app/repositories/0e111b51-ae74-4faa-8067-84c4c8db1568?scanId=9ce352d8-7def-47a2-964a-44552d9a61bf&codeScanTypes=PrScan&tab=issues

Detected Code Changes

Change Type	Relevant files
Configuration changes	► pom.xml     Update undertow-jakarta.version to 2.3.21.Final     Change contributors to empty tag     Update wildfly.version to 39.0.0.Final for EAP 8     Update wildfly.version to 39.0.0.Final for upstream wildfly