This is an automated email from the ASF dual-hosted git repository.
gnodet pushed a commit to branch maven-4.0.x
in repository https://gitbox.apache.org/repos/asf/maven.git
The following commit(s) were added to refs/heads/maven-4.0.x by this push:
new 586802711c Downgrade plexus-classworlds from 2.11.0 to 2.9.0 (#12092)
586802711c is described below
commit 586802711ce0997cadfadc10c841d41b1ae5a457
Author: Guillaume Nodet <[email protected]>
AuthorDate: Tue May 19 11:00:55 2026 +0200
Downgrade plexus-classworlds from 2.11.0 to 2.9.0 (#12092)
Classworlds 2.11.0 introduced a bug in ConfigurationParser.loadGlob
where the glob file filter uses || (OR) instead of && (AND), causing
patterns like "maven-*.jar" to match all jars. On Linux ext4, where
File.listFiles() returns non-deterministic ordering, this leads to
unpredictable classloading order and class collisions between
maven-embedder and sisu-plexus (PlexusXmlBeanConverter), breaking
lifecycle configuration injection.
Fix: https://github.com/codehaus-plexus/plexus-classworlds/pull/147
Co-authored-by: Claude Opus 4.6 <[email protected]>
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 13ef71e0f8..456083d34c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -145,7 +145,7 @@ under the License.
<assertjVersion>3.27.7</assertjVersion>
<asmVersion>9.9.1</asmVersion>
<byteBuddyVersion>1.18.8</byteBuddyVersion>
- <classWorldsVersion>2.11.0</classWorldsVersion>
+ <classWorldsVersion>2.9.0</classWorldsVersion>
<commonsCliVersion>1.11.0</commonsCliVersion>
<guiceVersion>5.1.0</guiceVersion>
<guavaVersion>33.6.0-jre</guavaVersion>
