When Quarkus goes EOL, the CVEs don't stop.

Never-Ending Support (NES) for Quarkus keeps your Kubernetes-native Java services secure, compliant, and audit-ready after your release line reaches end of life. When you're locked to Quarkus 2.16 or 3.20, NES gives your security team a supported build so you control the security posture, the upgrade timeline, and where engineering spends its time.

TRUSTED BY ENTERPRISE

Google logoMicrosoft logoFinra logoBank Santander Logo
Hitachi LogoWorkday logoDropbox logo

Security, compliance, and continuity, solved together

Quarkus ships a new release roughly every month, and each non-LTS line stops getting community fixes the moment the next one lands. Even LTS lines are actively supported for about a year. Unless you chase every release, your services drift onto an end-of-life version fast, and the CVEs that follow go unpatched while scanners flag every build. NES for Quarkus is a supported build of the 2.16 or 3.20 release line you're already on.

Security

The risk: Quarkus sits at the network edge, handling HTTP, REST, and auth traffic. When your line goes EOL, there's no upstream fix.

CVE fixes across all severity levels on your EOL release line, closing the window that HTTP, security-policy, and deserialization attacks depend on.

SLA-backed patch delivery tied to severity

Fixes applied to your exact 2.16 or 3.20 line

Core, HTTP, REST, security & data coverage

Compliance

The risk: an open audit finding with no remediation path under CRA, DORA, NIS2, PCI DSS, and SOC 2.

Every build ships with VEX statements auditors and scanner tools can consume, so you have documented evidence to close the unsupported-dependency finding.

Coverage for SOC 2, PCI DSS, HIPAA, FedRAMP

DORA, NIS2, EU Cyber Resilience Act, and more

VEX statements & documented patch history

Business Continuity

The risk: a forced Quarkus major-version bump can break Jakarta EE, MicroProfile, and extension contracts your services depend on.

A drop-in quarkus-bom you swap in with a version change and no application code changes, so you migrate Quarkus lines on your own schedule.

Months or years of runway to migrate right

No rewrites, no broken extensions

A fraction of the cost of a forced framework migration

“Imagine telling your customers you can’t deliver any of the features they’ve been asking for because you need to spend the next year rewriting code that already works. That’s not a conversation any CTO wants to have… The impact [of NES] goes beyond just keeping our lights on — we’ve been able to invest in a completely new component library, improve user experiences, and deliver features that directly contribute to new customer acquisition. That wouldn’t have been possible if we’d been stuck in migration mode.”

— Keelvar
Valentina Roques, CTO

“By leveraging HeroDevs’ extended support, we were able to mitigate security risks, continue safe operation of the legacy application, and gain valuable time to plan a more sustainable long-term migration strategy — all without compromising on client experience or regulatory requirements.”

— Sanlam Private Wealth
Financial services

“We were caught in the classic technology dilemma – spend valuable engineering time updating a legacy system we were already planning to replace, or accept increasing security risk. Neither option aligned with our business objectives. … With NES we maintained our security posture without compromising our strategic roadmap, all while achieving substantial cost savings.”

— Statista
Markus Wolf, Architect
Commonhaus Foundation

ECOSYSTEM PARTNERSHIP

The Commonhaus Foundation is a non-profit home for community-governed open source projects, including Jackson, ensuring their long-term stewardship and sustainability. HeroDevs is proud to be the founding member of the Commonhaus Foundation Open Source Sustainability Initiative (OSSI). HeroDevs worked with Commonhaus to establish this security focused initiative and provides Never-Ending Support (NES) for end-of-life versions of Jackson, and other open-source projects governed by The Commonhaus Foundation.

What changes the day you install NES.

Before — the pain

Your services run on an EOL Quarkus line

Scanners flag every build. No upstream patches are coming. When a new HTTP or security-policy CVE drops, the window between disclosure and exploit stays open until you migrate.

After — with HeroDevs

NES restores your patch path

A quarkus-bom version swap resumes SLA-backed CVE patches across the covered extensions, with your APIs and application behavior unchanged.

Before — the pain

An open finding with no answer

Internal audit, SOC 2, and a customer security questionnaire all flag your EOL quarkus-core. There's no remediation path short of a subscription or a rushed upgrade — and no defensible answer for auditors.

After — with HeroDevs

Findings close, questionnaires answer themselves

A named, vendor-backed build with committed SLAs and VEX statements. Scanners stop flagging CVEs and you reference a runtime aligned to PCI DSS, HIPAA, SOC 2, DORA, and NIS2.

Before — the pain

The release cadence vs. the roadmap

Jumping Quarkus lines can bring Jakarta EE, MicroProfile, and extension changes that break your services. Chasing the monthly cadence — or a rushed LTS jump — pulls engineers off the roadmap.

After — with HeroDevs

Migrate on your terms, not the cadence

A drop-in BOM — no code changes. Teams get the breathing room to plan a proper upgrade while the line they run stays secure, compliant, and stable.

Not just quarkus-core.

NES for Quarkus covers the extensions most services actually depend on: the runtime and CDI core, the HTTP, REST, and messaging layer, and the security, identity, and persistence extensions.

Core & runtime

The engine

quarkus-core

quarkus-arc (CDI)

quarkus-vertx

quarkus-bootstrap

HTTP, REST & messaging

The edge

quarkus-rest

quarkus-resteasy

quarkus-vertx-http

quarkus-grpc

quarkus-rest-client

smallrye-reactive-messaging

Security, data & platform

The glue

quarkus-security

quarkus-oidc

quarkus-smallrye-jwt

quarkus-hibernate-orm

quarkus-agroal

quarkus-jdbc-postgresql

Easy to deploy, no disruptions

pom.xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.herodevs.nes.io.quarkus.platform</groupId>
<artifactId>quarkus-bom</artifactId>
<version>2.16.12-quarkus</version>
<type>pom</type> <scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
1

Add the registry

Register registry.herodevs.io as a Maven repository in your pom.xml or settings.xml.

2

Set up your token

Add your HeroDevs auth token to settings.xml so the build can pull the patched artifacts.

3

Swap the BOM

Point quarkus-bom at the -nes build and rebuild. No application code changes.

4

Scanners pass

Actively patched and commercially supported — so CVE findings on EOL Quarkus close.

A defensible answer for every standard, framework, or regulation

EOL software undermines patch-management expectations across regulations worldwide. NES gives you a maintained, vendor-backed build with committed SLAs and a documented patch history to demonstrate compliance to auditors and regulators.

PCI DSS

US

Req. 6.3.3 requires known critical and high-severity vulnerabilities to be patched within 30 days. EOL Quarkus with no upstream patch puts you out of compliance. NES restores the patch path.

HIPAA

US

Unsupported frameworks make it hard to show reasonable safeguards for systems handling ePHI. NES provides active maintenance and risk reduction.

SOC 2

Global

Trust Services Criteria expect timely vulnerability remediation and patch management. EOL dependencies raise material findings during audit unless a compensating support path exists. NES is that support path.

NIS2

EU

Article 21 covers patching, vulnerability, and supply-chain management. Running EOL software without a maintained support path creates risk that NIS2 expects operators to actively mitigate.

DORA

EU

DORA treats EOL software as a resilience gap for financial ICT assets. NES gives you a maintained build and a documented patch-management program.

Cyber Resilience Act

EU

Governs software lifecycle security for products with digital elements. NES gives you a maintained, patched build for your EOL Quarkus line during the coverage period.

NIST CSF 2.0

US

Control PR.PS-02 requires organizations to actively maintain or remove vulnerable software based on risk. NES enables compliance without a forced upgrade.

FedRAMP

US

Continuous monitoring expects flaw remediation on a defined cadence. A patched, vendor-backed build gives your ISSO the documented remediation path to justify keeping EOL Quarkus in the authorization boundary.

Commercial Contracts

Global

Vulnerability and configuration management controls require identifying technical vulnerabilities and keeping software within secure standards. NES restores that posture for EOL software.

Built by security engineers who patch what you run.

Every NES for Quarkus build closes the known CVEs for covered extensions on your version line, and ships with VEX statements and release notes that map to the advisories your scanner is flagging.

HeroDevs is a CVE Numbering Authority and a founding member of the Commonhaus Open Source Sustainability Initiative, funding the maintainers and ecosystems that keep Java open source moving forward.

CVE Numbering Authority

Discovery and publication of CVEs in HeroDevs-covered products.

VEX with every build

Machine-readable for your scanners

Committed SLAs

Severity-tied patch delivery

Frequently Asked Questions

Is NES a permanent alternative to upgrading?
Does NES for Quarkus help with compliance?
What does drop-in replacement for EOL Quarkus mean?
Which Quarkus versions does NES support?
What is Never-Ending Support (NES) for Quarkus?

Contact Us

Got questions about Never-Ending Support for your open-source library? We're here to help!

Discover how HeroDevs NES Products can keep your systems secure and compliant.

Learn how our solutions can deliver value to your organization.

Get detailed pricing information tailored to your needs.

Google logoLilly logoAbbott logoBox logoEG logoHitachi logoDropbox logoNHS logoWorkday logoFinra logoMicrosoft logoSantander logo
Talk to an Expert

By submitting the form I acknowledge receipt of our Privacy Policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.