Update dependency sbt/sbt to v1.10.7 #93
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.6.2
->1.10.7
Release Notes
sbt/sbt (sbt/sbt)
v1.10.7
: 1.10.7Compare Source
🚀 features and other updates
--allow-empty
by @eed3si9n in https://github.com/sbt/sbt/pull/7966Build directory detection
Starting 1.10.7, the
sbt
runner script enables build directory detection by default. This means that thesbt
will exit with error when launched in a directory withoutbuild.sbt
orproject/
, with exceptions ofsbt new
,sbt --script-version
etc.To override this behavior temporarily, you can use
--allow-empty
flag. To permanently opt out of the build directory detection, create$XDG_CONFIG_HOME/sbt/sbtopts
with--allow-empty
in it.csrMavenDependencyOverride setting
sbt 1.10.7 updates Coursier to 2.1.11. sbt 1.10.7 also adds a new setting
csrMavenDependencyOverride
(default:false
), which controls the resolution, which respects Maven dependency override mechanism, also known as bill-of-materials (BOM) POM. Since there is a performance regression in the new resolver, we are setting the default tofalse
.🐛 bug fixes
csrMavenDependencyOverride
to opt into bill-of-material (BOM) respecting Coursier resolution by @eed3si9n in https://github.com/sbt/sbt/pull/79709a88bc4
and Jansi to 2.4.1, which fixes crash on Windows on ARM by @Friendseeker in https://github.com/sbt/sbt/pull/7952🎬 behind the scene
1.10.7
by @Friendseeker in https://github.com/sbt/sbt/pull/7957Full Changelog: sbt/sbt@v1.10.6...v1.10.7
v1.10.6
: 1.10.6Compare Source
change with compatibility implication
bug fixes and updates
run
task due to bgRun delegation by @Friendseeker in https://github.com/sbt/sbt/pull/7916sbt --client
support on openSUSE by @Androz2091 in https://github.com/sbt/sbt/pull/7895dependencyTree
console output by @Friendseeker in https://github.com/sbt/sbt/pull/7906java.awt.Desktop.browse()
duringdependencyBrowseTree
by @Friendseeker in https://github.com/sbt/sbt/pull/7905useConsistent
tostaticCachedStore
by @Friendseeker in https://github.com/sbt/sbt/pull/7869ConsistentAnalysisFormat
by @Friendseeker in https://github.com/sbt/zinc/pull/1479clean
clearspreviousCompile
by @Friendseeker in https://github.com/sbt/zinc/pull/1487 / https://github.com/sbt/sbt/pull/7922behind the scene
org.fusesource.jansi
by @Friendseeker in https://github.com/sbt/sbt/pull/78761.10.6
by @Friendseeker in https://github.com/sbt/sbt/pull/78718
by @Friendseeker in https://github.com/sbt/sbt/pull/7897sbt.TagsTest
by @Friendseeker in https://github.com/sbt/sbt/pull/7919loading settings for project
by @Friendseeker in https://github.com/sbt/sbt/pull/7909dependencyBrowseGraphTarget
,dependencyBrowseTreeTarget
by @Friendseeker in https://github.com/sbt/sbt/pull/7904new contributors
Full Changelog: sbt/sbt@v1.10.5...v1.10.6
v1.10.5
: 1.10.5Compare Source
updates
1
when on error by @Friendseeker in https://github.com/sbt/sbt/pull/7854++
with a command argument with slash by @eed3si9n in https://github.com/sbt/sbt/pull/7862behind the scene
System.console == null
by @Friendseeker in https://github.com/sbt/sbt/pull/78431.10.5
by @Friendseeker in https://github.com/sbt/sbt/pull/7840Full Changelog: sbt/sbt@v1.10.4...v1.10.5
v1.10.4
: 1.10.4Compare Source
updates and bug fixes
sbt new
fails to find template by @Friendseeker in https://github.com/sbt/sbt/pull/7835~
withGlobal / onChangedBuildSource := ReloadOnSourceChanges
by @Friendseeker in https://github.com/sbt/sbt/pull/7838behind the scene
DEVELOPING.md
by @Friendseeker in https://github.com/sbt/sbt/pull/7784TEST_SBT_VER
to 1.10.3 & remove unused CI variables by @Friendseeker in https://github.com/sbt/sbt/pull/7825.java-version
to not fix java version to 1.8 by @Friendseeker in https://github.com/sbt/sbt/pull/78273.27.1
by @Friendseeker in https://github.com/sbt/sbt/pull/7829Full Changelog: sbt/sbt@v1.10.3...v1.10.4
v1.10.3
: 1.10.3Compare Source
Protobuf with potential Denial of Service (CVE-2024-7254)
sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @gabrieljones and was fixed by Jerry Tan (@Friendseeker) in zinc#1443.
@adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @Friendseeker in https://github.com/sbt/sbt/pull/7746.
Reverting the invalidation of circular-dependent sources
sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.
There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after
clean
. The root cause of these bugs were identified by @smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @Friendseeker to be partial compilation of circular-dependent sources where two sourcesA.scala
andB.scala
use some constructs from each other.sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if
A.scala
was changed, it would immediately invalidateB.scala
. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@lihaoyi) in https://github.com/sbt/zinc/pull/1462.Improvement: ParallelGzipOutputStream
sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of
ParallelGzipOutputStream
, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that thescala.concurrent.Future
-based implementation gets stuck in a deadlock. @Ichoran and @Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.bug fixes and updates
sbt init
template deps by @xuwei-k in #7730behind the scene
System.runFinalization
by @Friendseeker in https://github.com/sbt/sbt/pull/7732Thread.getId
by @Friendseeker in https://github.com/sbt/sbt/pull/7733vscode-sbt-scala
from build.sbt by @Friendseeker in https://github.com/sbt/sbt/pull/7728Full Changelog: sbt/sbt@v1.10.2...v1.10.3
v1.10.2
: 1.10.2Compare Source
Changes with compatibility implications
_sbt2_3
suffix for sbt 2.x by @eed3si9n in https://github.com/sbt/sbt/pull/7671Updates and bug fixes
serverIdleTimeOut
toserverIdleTimeout
to match the variable name by @lervag in https://github.com/sbt/sbt/pull/7651scala.reflect.io.Streamable
by @rochala in https://github.com/sbt/zinc/pull/1395Optional
inter-project dependency in BSP by @adpi2 in https://github.com/sbt/sbt/pull/7568build.properties
by @invadergir in https://github.com/sbt/sbt/pull/7585scala-tools-releases
inrepositories
file blocking sbt from launching by @eed3si9n in https://github.com/sbt/launcher/pull/104ThreadDeath
for future JDK compatibility by @xuwei-k in https://github.com/sbt/sbt/pull/7652ZipError
for future JDK compatibility by @eed3si9n in https://github.com/sbt/zinc/pull/1393Behind the scenes
dependency-management/force-update-period
test (backport of #7538) by @adpi2 in https://github.com/sbt/sbt/pull/7567New contributors
Full Changelog: sbt/sbt@v1.10.0...v1.10.2
v1.10.1
: 1.10.1Compare Source
bug fixes and updates
expandMavenSettings
by @desbo in https://github.com/sbt/librarymanagement/pull/444Map
andLList
in sjson-new 0.10.1 by @steinybot + @eed3si9n in https://github.com/eed3si9n/sjson-new/pull/142forceUpdatePeriod
by @adpi2 in https://github.com/sbt/sbt/pull/7567Optional
inter-project dependencies by @adpi2 in https://github.com/sbt/sbt/pull/7568jcenter
andscala-tools-releases
entries in the~/.sbt/repositories
file by @eed3si9n in https://github.com/sbt/launcher/pull/104behind the scenes
Full Changelog: sbt/sbt@v1.10.0...v1.10.1
v1.10.0
: 1.10.0Compare Source
Changes with compatibility implications
scalaVersion
can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.SIP-51 Support for Scala 2.13 Evolution
Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:
Lukas has also contributed changes to sbt 1.10.0 to enforce stricter
scalaVersion
. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer thanscalaVersion
is found, it will fail the build as follows:When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):
Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected
scalaVersion
, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respectscalaVersion
to be the source-of-truth, but will reject bad ones at build time.This was contributed by Lukas Rytz in #7480.
Zinc fixes
IncOptions.useOptimizedSealed
not working for Scala 2.13 by @Friendseeker in zinc#1278ClassTag
instead ofManifest
by @xuwei-k in zinc#1265extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in zinc#1289extraHash
computation by @Friendseeker in zinc#1290@inline
methods in Scala 2.x by @Friendseeker in zinc#1310-Xshow-phases
handling by @Friendseeker in zinc#1314ConsistentAnalysisFormat: new Zinc Analysis serialization
sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:
Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:
This was contributed by Stefan Zeiger at Databricks in zinc#1326.
New CommandProgress API
sbt 1.10.0 adds a new CommandProgress API.
This was contributed by Iulian Dragos at Gradle Inc in #7350.
Other updates
java.net.URL
constructor by @xuwei-k in #7398updateSbtClassifiers
task by @azdrojowa123 in #7437packageSrc
to includemanagedSources
by @Friendseeker in #7470publisher
setting by @Tammo0987 in #7475buildTarget/javacOptions
by @adpi2 in #7352noOp
field in the compile report by @adpi2 in #7496v1.9.9
: 1.9.9Compare Source
Bug fixes
console
task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502UnsatisfiedLinkError
withstat
, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in https://github.com/sbt/io/pull/367Full Changelog: sbt/sbt@v1.9.8...v1.9.9
v1.9.8
: 1.9.8Compare Source
updates
IO.getModifiedOrZero
on Alpine etc, by using clibstat()
instead of non-standard__xstat64
abi by @bratkartoffel in https://github.com/sbt/io/pull/362updateSbtClassifiers
not downloading sources https://github.com/sbt/sbt/pull/7437 by @azdrojowa123Full Changelog: sbt/sbt@v1.9.7...v1.9.8
v1.9.7
: 1.9.7Compare Source
Highlights
IO.unzip
. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.Zip Slip (arbitrary file write) vulnerability
See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in
IO.unzip
code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.Given a specially crafted zip or JAR file,
IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:When executed on some path with six levels,
IO.unzip
could then overwrite a file under/root/
. sbt main usesIO.unzip
only inpullRemoteCache
andResolvers.remote
, however, many projects useIO.unzip(...)
directly to implement custom tasks and tests.Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.
Other updates and fixes
.sbtopts
support forsbt
runner script on Windows by @ptrdom in #7393scriptedSbt
key by @mdedetrich in #7383dependencyBrowseTree
log by @mkurz in #7396v1.9.6
: 1.9.6Compare Source
bug fix
Full Changelog: sbt/sbt@v1.9.5...v1.9.6
v1.9.5
: 1.9.5Compare Source
Update:⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704
highlights
-X
is passed toscalacOptions
zinc#1246 by @unkarjedyother updates
NumberFormatException
inCrossVersionUtil.binaryScalaVersion
lm#426 by @HelloKunalscripted
client/server instability on Windows #7087 by @mdedetrichsbt
launcher script bug on Windows #7365 by @JD557help
command on oldshell #7358 by @azdrojowa123allModuleReports
toUpdateReport
lm#428 by @mdedetrichnew contributors
Full Changelog: sbt/sbt@v1.9.4...v1.9.5
v1.9.4
: 1.9.4Compare Source
CVE-2022-46751
CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.
With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.
Other updates
sbt_script
lookup by replacing all spaces with%20
(not only the first one) in the path. by @arturaz in https://github.com/sbt/sbt/pull/7349conscriptConfigs
task, not used and needed(?) anymore by @mkurz in https://github.com/sbt/sbt/pull/7353sbt new
menu by @SethTisue in https://github.com/sbt/sbt/pull/7354new contributors
Full Changelog: sbt/sbt@v1.9.3...v1.9.4
v1.9.3
: 1.9.3Compare Source
Actionable diagnostics (aka quickfix)
Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.
sbt 1.9.3 adds a new interface called
AnalysisCallback2
to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with-deprecation
flag.This was contributed by Eugene Yokota (@eed3si9n) in zinc#1226. Special thanks to @lrytz for identifying this issue in zinc#1214.
other updates
Full Changelog: sbt/sbt@v1.9.2...v1.9.3
v1.9.2
: 1.9.2Compare Source
Fix
++
fall back to a bincompat Scala version by @eed3si9n in https://github.com/sbt/sbt/pull/7328Full Changelog: sbt/sbt@v1.9.1...v1.9.2
v1.9.1
: 1.9.1Compare Source
Change to Scala CLA
sbt 1.9.1 is the first release of sbt after changing to Scala CLA in [#7306][7306] etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.
Updates
publish / skip
is settrue
by @adpi2 in [#7295][7295]sbtPluginPublishLegacyMavenStyle := false
by @adpi2 in [#7286][7286]sbt console
being slow by [@andrzejressel][@andrzejressel] in [#7280][7280]exportPipelining
key by [@alexklibisz][@alexklibisz] in [#7291][7291]dependencyBrowseGraph
anddependencyDot
render in color by [@sideeffffect][@sideeffffect] in [#7301][7301]. This can be opted-out usingdependencyDotNodeColors
setting.sbt new
default menu by [@katlasik][@katlasik] in [#7300][7300]sbt new
default menu extensible viatemplateDescriptions
setting key andtemplateRunLocal
input key by @eed3si9n in [#7304][7304]semanticdbVersion
to 4.7.8 by @ckipp01 in [#7294][7294]Behind the scene
@tailrec
annotation by @xuwei-k in [zinc#1209][zinc1209]DEVELOPING.md
by [@dongxuwang][@dongxuwang] in [#7299][7299]java.net.URL
constructor by @xuwei-k in [#7315][7315]filter
towithFilter
where possible by @xuwei-k in [#7317][7317]new contributors
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.