Fix loadGlob using OR instead of AND for glob matching#147
Merged
slachiewicz merged 2 commits intoMay 19, 2026
Conversation
The loadGlob method used || (OR) instead of && (AND) when matching files against prefix and suffix patterns. This caused glob patterns like "maven-*.jar" to match all files ending with .jar (since every jar matches the suffix), regardless of the prefix. This bug was introduced in 4f4cfe6 ("Some automatic code cleanups") where an automated refactoring incorrectly simplified the filter lambda, breaking De Morgan's law: the original negated early-returns (!prefix → false, !suffix → false, else true) are equivalent to (prefix AND suffix), not (prefix OR suffix). On Linux ext4, File.listFiles() returns non-deterministic ordering. Combined with this bug, classloading order becomes unpredictable, causing class collisions when multiple jars contain the same FQCN (e.g., PlexusXmlBeanConverter in both maven-embedder and sisu-plexus). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Path.resolve rejects '*' on Windows with InvalidPathException. Use File constructor instead, which accepts glob characters. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
gnodet
added a commit
to apache/maven
that referenced
this pull request
May 19, 2026
Classworlds 2.11.0 introduced a bug in ConfigurationParser.loadGlob where the glob file filter uses || (OR) instead of && (AND), causing patterns like "maven-*.jar" to match all jars. On Linux ext4, where File.listFiles() returns non-deterministic ordering, this leads to unpredictable classloading order and class collisions between maven-embedder and sisu-plexus (PlexusXmlBeanConverter), breaking lifecycle configuration injection. Fix: codehaus-plexus/plexus-classworlds#147 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Member
|
@slachiewicz pls review, merge and do a release, as right now, 2.10 and 2.11 are two in a row broken releases. |
slachiewicz
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
loadGlobinConfigurationParserwhere||(OR) was used instead of&&(AND) for matching files against prefix and suffix patternsmaven-*.jarto match all.jarfiles instead of only those starting withmaven-loadGlobglob matchingImpact
On Linux ext4,
File.listFiles()returns files in non-deterministic (inode hash) order. Combined with this bug,load maven-*.jarin Maven'sm2.confloads all jars in the lib directory in arbitrary order instead of loadingmaven-*.jarfiles first. This causes class collisions when multiple jars contain the same FQCN — for example,PlexusXmlBeanConverterexists in bothmaven-embedder.jar(Maven's custom version with XmlNode handling) andorg.eclipse.sisu.plexus.jar(Sisu's version without it). When Sisu's version wins the race, Maven's lifecycle configuration injection fails.This is currently breaking all CI on the Apache Maven
maven-4.0.xbranch (ubuntu-latest, all JDKs) after a GitHub Actions runner image update changed the filesystem layout.Claude Code on behalf of Guillaume Nodet