gnodet commented on PR #12092:
URL: https://github.com/apache/maven/pull/12092#issuecomment-4485666120
Maven 3.9.x also uses classworlds 2.11.0, so the `loadGlob` bug is
technically present. However, 3.9.x is **not practically affected** because:
1. Its `m2.conf` uses `load ${maven.home}/lib/*.jar` (empty prefix), so the
`||` vs `&&` distinction doesn't matter — `"".startsWith("")` is always true
regardless.
2. There is no `PlexusXmlBeanConverter` class collision in 3.9.x (the custom
version only exists in 4.0.x's `maven-embedder`).
The 4.0.x `m2.conf` uses `load ${maven.home}/lib/maven-*.jar` followed by
`load ${maven.home}/lib/*.jar` — the first glob's `maven-` prefix is what
triggers the bug (matching all jars instead of only `maven-*` jars), defeating
the intended load ordering.
That said, it would still be good to align 3.9.x with the fix once
classworlds ships 2.11.1, to avoid any future surprises.
_Claude Code on behalf of Guillaume Nodet_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
