apache/maven maven-4.0.0-rc-5

4.0.0-rc-5

on GitHub

Notes

This new release candidate of Maven 4 is released to get feedback from users.
Maven 4 has a restrained a few things comparent to Maven 3, so make sure to run the mvnup tool before trying to project with Maven 4.

Bean configuration bug

A bug has been found in the bean configuration system where field accessibility state is cached globally. This can cause plugin configuration injection to fail when the same configuration field is accessed multiple times or in different contexts during a build. This particularly affects the plugin unit tests.

This will be fixed by #11433 in the next release.

Concurrency issue in the v4 API

A concurrency issue has been found in the Maven 4 API (still in preview mode) and will be fixed by #11428 in the next release.

BOM packaging

Another bug has been found in how BOM projects are processed. When a project uses BOM packaging, the consumer POM is not being properly converted to standard POM packaging, and dependency versions could be lost in some cases.

This will be fixed by #11427 in the next release.

macOS: JLine native library may be blocked by Gatekeeper on first use

On macOS (especially Apple Silicon), the first invocation of mvn may fail to load the JLine native terminal library with an error such as:

java.lang.UnsatisfiedLinkError: .../libjline-native/Mac/arm64/libjlinenative.jnilib: dlopen(...): code signature ... not valid for use in process: library load disallowed by system policy

This occurs when the binary distribution is downloaded via a web browser, which applies the com.apple.quarantine extended attribute.

Workaround (one-time fix):

xattr -r -d com.apple.quarantine /path/to/apache-maven-4.0.0-rc-5/lib/jline-native

Recommended download method (avoids the issue entirely):

curl -L -O https://archive.apache.org/dist/maven/maven-4/4.0.0-rc-5/binaries/apache-maven-4.0.0-rc-5-bin.tar.gz
tar -xzf apache-maven-4.0.0-rc-5-bin.tar.gz

This is a known issue #10747 and will be addressed in a future release.

💥 Breaking changes

• Disable consumer POM flattening by default and add an opt-in feature (#11347) (#11370) @gnodet

🚀 New features and improvements

• Disable consumer POM flattening by default and add an opt-in feature (#11347) (#11370) @gnodet
• Make config files use UTF8 (#11263) (#11265) @cstamas
• Simplify prefix resolution (#11072) (#11073) @cstamas
• Add PathMatcherFactory.includesAll() (#11008) @desruisseaux
• Add skipMavenRc to ExecutorRequest and use it in ITs (#10944) @slawekjaranowski
• Add PathMatcherFactory service with directory filtering optimization (#10923) (#10926) @gnodet
• Allow configurable repository selection for version range resolution (backport) (#10890) @cstamas
• Switch resolver to use rwlock-local locks (#2546) (#2555) @gnodet

🐛 Bug Fixes

• Fix resource targetPath resolution to be relative to output directory (fixes #11381) (#11394) (#11406) @gnodet
• Fix MavenStaxReader location reporting for properties (#11402) (#11404) @gnodet
• Fix false parent cycle detection with flatten-maven-plugin (#11400) @gnodet
• Resolve property before model reflection to avoid recursion (#11385, fixes #11384) (#11390) @gnodet
• Explicitly register jdk ToolchainFactory for Maven 3 plugins (#11318) (#11369) @gnodet
• Fix -itr option not honored (#11359) (#11361) @gnodet
• Do not include invalid transitive repositories (#11357) (#11362) @gnodet
• Prevent infinite loop in RootLocator when .mvn directory exists in subdirectory (fixes #11321) (#11323) (#11350) @gnodet
• Fix [unknown project] messages in error output (#11324) (#11349) @gnodet
• Restore compatibility in maven-embedder (#11320) (#11340) @gnodet
• Add backward compatibility dependencies to maven-compat (#11301) (#11339) @gnodet
• Relative are resolved against the wrong directory (#11325) @desruisseaux
• Bug: when raw-streams are used, ensure system streams are set up (#11303) (#11310) @cstamas
• Fix plugin prefix resolution when metadata is not available from repository (#11287) (#11288) @gnodet
• Maven model 4.1.0 should not allow non-pom packaging for aggregators (#11279) (#11285) @gnodet
• Fix exception caused by duplicate dependencies in consumer pom (#11283) (#11286) @gnodet
• Remove use of toRealPath (#11250) (#11257) @cstamas
• Bugfix: fix CLI graceful death (#11239) (#11246) @cstamas
• Introduce RepositoryAwareRequest interface to consolidate repository handling (#11238) (#11244) @gnodet
• Fix repository ID interpolation in Maven 4 (#11224) (#11241) @gnodet
• Fix dependency groupId inference for Maven 4.1.0 model version (#11228) (#11240) @gnodet
• Consumer POM should keep only transitive dependencies, fixes #11162 (#11163) (#11235) @gnodet
• Fix StackOverflowError in parent POM resolution (backport #11106) (#11234) @gnodet
• Fix CI-friendly version processing with profile properties (fix #11196) (#11225) @gnodet
• Add phase upgrade support for Maven 4.1.0 model upgrades (#11226) @gnodet
• Fix GH-11199: Maven 4.0.0-rc-4 ignores defaultLogLevel (#11227) @gnodet
• Validate metaversions and detect extension conflicts (fixes #11181) (#11216) @cstamas
• Allow repository URL interpolation with improved validation (#11140) (#11210) @gnodet
• Improve mvn usage message (#11211) (#11213) @gnodet
• Enable the search for module-info.class file in the META-INF/versions/ sub-directories of a JAR file. (#11153) (#11206) @gnodet
• Fix #10939: DefaultModelXmlFactory: make location tracking opt-in—disabled by def… (#11092) @arturobernalg
• Fix #11000: fix help default text (#11099) @arturobernalg
• GH-10210: fix too eager decrypt of legacy passwords (#11138) (#11158) @cstamas
• #11055: Inject all services into mojos and enable easy real-session mojo testing (#11103) (#11139) @gnodet
• Fix ReactorReader to prefer consumer POMs over build POMs (#11107) (#11131) @gnodet
• model-builder: simplify subproject auto-discovery decision (#11124) (#11132) @gnodet
• Add missing equals and hashCode methods in modular Java path type. (#11130) @desruisseaux
• fix: include extension in equals/hashCode of DefaultArtifactCoordinates (#11101) @arturobernalg
• Fix #11127: enforce non-null keys for InputLocation lookups and document behavior (#11128) @gnodet
• Bug: bad cache isolation between two sessions (#11083) (#11085) @cstamas
• Fix targetPath parameter ignored in resource bundles (fixes #11062) (#11063) (#11080) @gnodet
• Maven Upgrade Tool: remove unused --force and --yes options (Fixes #11001) (#11066) (#11079) @gnodet
• Fix XMLReader#getURL and enable the unit test (#11069) (#11078) @gnodet
• [#11048] Fix race condition in MessageUtils (#11049) (#11077) @gnodet
• Uninterpolated repositories from parent POMs during model building (backport) (#11039) @cstamas
• Fix maven.mainClass property missing for external tools (#10998) (#11007) @gnodet
• Set Guice class loading to CHILD - avoid using terminally deprecated methods (#11002) @slawekjaranowski
• Avoid parsing MAVEN_OPTS (master/4.x) (#10970) (#10993) @gnodet
• Port the bug fixes identified when using that class in Maven clean and compiler plugin (#10935) (#10936) @gnodet
• Fix XmlNode.equals returning false between two different node implementations (#10942) @gnodet
• perf: optimize CompositeBeanHelper with reflection caching (#10927) @gnodet
• Expand value interning optimization and add configurable session property (#2495) (#10932) @gnodet
• Optimize validation performance with lazy SourceHint evaluation (#2518) (#10919) @gnodet
• Refactor setupContainer to validate ExtensionContext, test class and instance, and throw clear IllegalStateExceptions (#10901, fixes #10428) (#10918) @gnodet
• Bug fix in the default directory computed by DefaultSourceRoot. (#10912) (#10917) @gnodet
• Optimize XmlPlexusConfiguration for performance and thread safety (#2527) (#10916) @gnodet
• Fix mvnup tool issues #7934-#7938 (#9311) (#10915) @gnodet
• Fix #2486: Make Resource.addInclude() persist in project model (#2534) (#2565) @gnodet
• Fix MavenProject#getPlugin(String) performances (#2530) (#2573) @gnodet
• bug: fix duplicate dependency in effective model (fixes #2532) (#2554) (#2556) @gnodet
• Split system and user properties from maven.properties (#2547) @gnodet
• Fix ReactorReader incorrect warnings and logic (fixes #2497, #2498) (#2536) @gnodet
• Avoid double flush (#2478) (#2537) @gnodet
• Deduplicate filtered dependency graph (#2493) @alzimmermsft

👻 Maintenance

• Change IntelliJ icon to new oak leaf (#11407) @Bukama
• Fix IT isolation for MNG-6256 IT (#11395) (#11396) @cstamas
• Maven 4.0.x proper isolation (#11393) @cstamas
• [4.0.x] Consolidate caches (#11379) @cstamas
• Fix ITs (#11371) (#11372) @gnodet
• Mimir Cache-Purge w Pre-seed (#11315) (#11348) @cstamas
• Missed parts for Mimir update (#11312) (#11313) @cstamas
• Mimir 0.10.3 (#11291) (#11311) @cstamas
• Upgrade Mimir (#11274) (#11282) @cstamas
• Upgrade to spotless 3.0.0 and palantir 2.80.0 (#11275) (#11277) @gnodet
• Tidy up executor UTs (#11249) (#11262) @cstamas
• Sync GH workflow with master (#11221) @cstamas
• IT fixes (#11217) @cstamas
• Maven 4.0.x backport mimir (#11180) @cstamas
• commons-cli deprecations (#11170) (#11176) @cstamas
• Mimir updates (#11161) (#11166) @cstamas
• [[MNG-8696] - ](https://issues.apache.org/jira/browse/MNG-8696) - Hide the cache from DefaultDependencyResolverResult constructor (#11154) @desruisseaux
• Generating configuration documentation during site build (#10979) @slawekjaranowski
• Improvements in ITs executing - provide default local repo (#10963) @slawekjaranowski
• Backport: Fix build and Jenkinsfile (#10904) (#10905) @cstamas
• chore: remove unused managed dependency (#2570) (#2572) @gnodet
• Cleanups duplicate configs with new parent (#2567) @gnodet
• Update Maven version to 4.0.0-SNAPSHOT (#2513) @gnodet
• Update branch name for release-drafter in maven-4.0.x (#2503) @slawekjaranowski
• Execute GitHub action - Java CI on maven-4.0.x branch (#2504) @slawekjaranowski

🔧 Build

• Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#11332) @dependabot[bot]
• Bump actions/download-artifact from 5.0.0 to 6.0.0 (#11333) @dependabot[bot]
• Allow single build per branch or pull request (#11045) @slawekjaranowski
• Pin GitHub action versions by hash (#10902) @slawekjaranowski

📦 Dependency updates

• Bump net.sourceforge.pmd:pmd-core from 7.17.0 to 7.18.0 (#11377) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-testing from 1.7.0 to 2.0.1 (#11344) @dependabot[bot]
• Bump org.codehaus.mojo:extra-enforcer-rules from 1.10.0 to 1.11.0 (#11352) @dependabot[bot]
• Bump io.github.olamy.maven.plugins:jacoco-aggregator-maven-plugin from 1.0.3 to 1.0.4 (#11345) @dependabot[bot]
• Bump org.apache.maven.plugin-tools:maven-plugin-annotations from 3.15.1 to 3.15.2 (#11337) @dependabot[bot]
• Bump org.apache.maven.plugin-tools:maven-plugin-tools-java from 3.15.1 to 3.15.2 (#11338) @dependabot[bot]
• Bump xmlunitVersion from 2.10.4 to 2.11.0 (#11334) @dependabot[bot]
• Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 (#11296) @dependabot[bot]
• Bump org.codehaus.mojo:exec-maven-plugin from 3.6.1 to 3.6.2 (#11297) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-velocity from 2.2.1 to 2.3.0 (#11261) @dependabot[bot]
• Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.24.1 to 0.24.2 (#11271) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-testing from 1.6.1 to 1.7.0 (#11270) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-testing from 1.6.0 to 1.6.1 (#11260) @dependabot[bot]
• Bump org.apache.maven:maven-archiver from 3.6.4 to 3.6.5 (#11232) @dependabot[bot]
• Bump eu.maveniverse.maven.mimir:testing from 0.9.3 to 0.9.4 (#11233) @dependabot[bot]
• Bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (#11254) @dependabot[bot]
• Resolver 2.0.13 (#11137) (#11248) @cstamas
• Bump net.bytebuddy:byte-buddy from 1.17.7 to 1.17.8 (#11243) @dependabot[bot]
• Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.23.1 to 0.24.1 (#11208) @dependabot[bot]
• Bump asmVersion from 9.8 to 9.9 (#11204) @dependabot[bot]
• Bump org.codehaus.mojo:exec-maven-plugin from 3.5.1 to 3.6.1 (#11205) @dependabot[bot]
• Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 (#11192) @dependabot[bot]
• Bump actions/cache from 4.2.4 to 4.3.0 (#11173) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 (#11164) @dependabot[bot]
• Bump mockitoVersion from 5.19.0 to 5.20.0 (#11156) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#11149) @dependabot[bot]
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre (#11144) @dependabot[bot]
• Bump net.sourceforge.pmd:pmd-core from 7.16.0 to 7.17.0 (#11123) @dependabot[bot]
• Bump xmlunitVersion from 2.10.3 to 2.10.4 (#11122) @dependabot[bot]
• Resolver 2.0.11 (#11043) (#11115) @cstamas
• Bump jlineVersion from 3.30.5 to 3.30.6 (#11113) @dependabot[bot]
• Bump eu.maveniverse.maven.plugins:bom-builder3 from 1.2.1 to 1.3.0 (#11097) @dependabot[bot]
• Bump mockitoVersion from 5.18.0 to 5.19.0 (#11051) @dependabot[bot]
• Bump eu.maveniverse.maven.plugins:bom-builder3 from 1.2.0 to 1.2.1 (#11064) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-testing from 1.5.0 to 1.6.0 (#11057) @dependabot[bot]
• Bump net.bytebuddy:byte-buddy from 1.17.6 to 1.17.7 (#11053) @dependabot[bot]
• Bump org.apache.maven:maven-archiver from 3.6.3 to 3.6.4 (#11036) @dependabot[bot]
• Bump actions/cache from 4.2.3 to 4.2.4 (#11030) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#11034) @dependabot[bot]
• Bump jlineVersion from 3.30.4 to 3.30.5 (#11026) @dependabot[bot]
• Bump commons-cli:commons-cli from 1.9.0 to 1.10.0 (#11020) @dependabot[bot]
• Bump eu.maveniverse.maven.plugins:bom-builder3 from 1.1.1 to 1.2.0 (#11014) @dependabot[bot]
• Bump net.sourceforge.pmd:pmd-core from 7.15.0 to 7.16.0 (#11005) @dependabot[bot]
• Bump org.junit:junit-bom from 5.13.3 to 5.13.4 (#10989) @dependabot[bot]
• Bump org.junit.jupiter:junit-jupiter from 5.13.3 to 5.13.4 (#10988) @dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#10968) @dependabot[bot]
• Bump io.github.olamy.maven.plugins:jacoco-aggregator-maven-plugin from 1.0.2 to 1.0.3 (#10933) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-utils from 3.0.24 to 3.6.0 (#2563) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-component-annotations from 2.1.0 to 2.2.0 (#2560) @dependabot[bot]
• Bump com.google.jimfs:jimfs from 1.3.0 to 1.3.1 (#10911) @dependabot[bot]
• Bump org.junit.jupiter:junit-jupiter from 5.13.2 to 5.13.3 (#8716) @dependabot[bot]
• Bump org.junit:junit-bom from 5.13.2 to 5.13.3 (#8717) @dependabot[bot]
• Bump org.junit.jupiter:junit-jupiter from 5.13.1 to 5.13.2 (#2561) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 44 to 45 (#2552) @dependabot[bot]
• Bump net.sourceforge.pmd:pmd-core from 7.14.0 to 7.15.0 (#2553) @dependabot[bot]
• Bump org.junit:junit-bom from 5.13.1 to 5.13.2 (#2549) @dependabot[bot]
• Bump net.bytebuddy:byte-buddy from 1.17.5 to 1.17.6 (#2543) @dependabot[bot]
• Bump xmlunitVersion from 2.10.2 to 2.10.3 (#2542) @dependabot[bot]
• Bump resolverVersion from 2.0.9 to 2.0.10 (#2541) @dependabot[bot]