I'm not sure, although I think you're on the right track with your javax.jws:jsr181-api theory. Eduardo/Jim/Rebecca, if I'm on the wrong track here, please let us know. :) The boms project itself only changed the version of the WildFly server it used to generate the boms -- see [1]. The server code itself didn't have any change specific to jakarta.jws:jakarta.jws-api -- see [2]. I'm not sure specifically how jakarta.jws:jakarta.jws-api was in the bom previously. There is no specific reference to it in the boms project, unlike javax.jws:jsr181-api which is specifically declared at [3]]. AIUI that means it appeared in the bom previously due to a transitive dependency on it by something that is declared in the boms project. So if something changed in the transitive dependency tree that could explain why it disappeared from the bom. The most relevant change is the CXF upgrade[4] that fixed the key CVE that inspired the release. Another possibility is is the JAXB update[5], but that seems less likely as it's less intuitive that that would have jws dependencies, plus the change itself was very small. [1] https://github.com/wildfly/boms/compare/26.1.2.Final...26.1.3.Final#diff-... [2] https://github.com/wildfly/wildfly/compare/26.1.2.Final...26.1.3.Final [3] https://github.com/wildfly/boms/blob/6fe75955e2f5522bd9d1f00dd6625bcbc10c... [4] https://github.com/wildfly/wildfly/pull/16440 [5] https://github.com/wildfly/wildfly/pull/16453 Best regards, Brian On Mon, Feb 6, 2023 at 2:14 AM Alex Lutsenko <krazilek(a)gmail.com&gt; wrote: