Update dependency sbt/sbt to v1.10.5 #37
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.2.6
->1.10.5
0.13.18
->1.10.5
Release Notes
sbt/sbt (sbt/sbt)
v1.10.5
Compare Source
v1.10.4
: 1.10.4Compare Source
updates and bug fixes
sbt new
fails to find template by @Friendseeker in https://github.com/sbt/sbt/pull/7835~
withGlobal / onChangedBuildSource := ReloadOnSourceChanges
by @Friendseeker in https://github.com/sbt/sbt/pull/7838behind the scene
DEVELOPING.md
by @Friendseeker in https://github.com/sbt/sbt/pull/7784TEST_SBT_VER
to 1.10.3 & remove unused CI variables by @Friendseeker in https://github.com/sbt/sbt/pull/7825.java-version
to not fix java version to 1.8 by @Friendseeker in https://github.com/sbt/sbt/pull/78273.27.1
by @Friendseeker in https://github.com/sbt/sbt/pull/7829Full Changelog: sbt/sbt@v1.10.3...v1.10.4
v1.10.3
: 1.10.3Compare Source
Protobuf with potential Denial of Service (CVE-2024-7254)
sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @gabrieljones and was fixed by Jerry Tan (@Friendseeker) in zinc#1443.
@adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @Friendseeker in https://github.com/sbt/sbt/pull/7746.
Reverting the invalidation of circular-dependent sources
sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.
There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after
clean
. The root cause of these bugs were identified by @smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @Friendseeker to be partial compilation of circular-dependent sources where two sourcesA.scala
andB.scala
use some constructs from each other.sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if
A.scala
was changed, it would immediately invalidateB.scala
. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@lihaoyi) in https://github.com/sbt/zinc/pull/1462.Improvement: ParallelGzipOutputStream
sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of
ParallelGzipOutputStream
, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that thescala.concurrent.Future
-based implementation gets stuck in a deadlock. @Ichoran and @Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.bug fixes and updates
sbt init
template deps by @xuwei-k in #7730behind the scene
System.runFinalization
by @Friendseeker in https://github.com/sbt/sbt/pull/7732Thread.getId
by @Friendseeker in https://github.com/sbt/sbt/pull/7733vscode-sbt-scala
from build.sbt by @Friendseeker in https://github.com/sbt/sbt/pull/7728Full Changelog: sbt/sbt@v1.10.2...v1.10.3
v1.10.2
: 1.10.2Compare Source
Changes with compatibility implications
_sbt2_3
suffix for sbt 2.x by @eed3si9n in https://github.com/sbt/sbt/pull/7671Updates and bug fixes
serverIdleTimeOut
toserverIdleTimeout
to match the variable name by @lervag in https://github.com/sbt/sbt/pull/7651scala.reflect.io.Streamable
by @rochala in https://github.com/sbt/zinc/pull/1395Optional
inter-project dependency in BSP by @adpi2 in https://github.com/sbt/sbt/pull/7568build.properties
by @invadergir in https://github.com/sbt/sbt/pull/7585scala-tools-releases
inrepositories
file blocking sbt from launching by @eed3si9n in https://github.com/sbt/launcher/pull/104ThreadDeath
for future JDK compatibility by @xuwei-k in https://github.com/sbt/sbt/pull/7652ZipError
for future JDK compatibility by @eed3si9n in https://github.com/sbt/zinc/pull/1393Behind the scenes
dependency-management/force-update-period
test (backport of #7538) by @adpi2 in https://github.com/sbt/sbt/pull/7567New contributors
Full Changelog: sbt/sbt@v1.10.0...v1.10.2
v1.10.1
: 1.10.1Compare Source
bug fixes and updates
expandMavenSettings
by @desbo in https://github.com/sbt/librarymanagement/pull/444Map
andLList
in sjson-new 0.10.1 by @steinybot + @eed3si9n in https://github.com/eed3si9n/sjson-new/pull/142forceUpdatePeriod
by @adpi2 in https://github.com/sbt/sbt/pull/7567Optional
inter-project dependencies by @adpi2 in https://github.com/sbt/sbt/pull/7568jcenter
andscala-tools-releases
entries in the~/.sbt/repositories
file by @eed3si9n in https://github.com/sbt/launcher/pull/104behind the scenes
Full Changelog: sbt/sbt@v1.10.0...v1.10.1
v1.10.0
: 1.10.0Compare Source
Changes with compatibility implications
scalaVersion
can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.SIP-51 Support for Scala 2.13 Evolution
Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:
Lukas has also contributed changes to sbt 1.10.0 to enforce stricter
scalaVersion
. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer thanscalaVersion
is found, it will fail the build as follows:When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):
Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected
scalaVersion
, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respectscalaVersion
to be the source-of-truth, but will reject bad ones at build time.This was contributed by Lukas Rytz in #7480.
Zinc fixes
IncOptions.useOptimizedSealed
not working for Scala 2.13 by @Friendseeker in zinc#1278ClassTag
instead ofManifest
by @xuwei-k in zinc#1265extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in zinc#1289extraHash
computation by @Friendseeker in zinc#1290@inline
methods in Scala 2.x by @Friendseeker in zinc#1310-Xshow-phases
handling by @Friendseeker in zinc#1314ConsistentAnalysisFormat: new Zinc Analysis serialization
sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:
Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:
This was contributed by Stefan Zeiger at Databricks in zinc#1326.
New CommandProgress API
sbt 1.10.0 adds a new CommandProgress API.
This was contributed by Iulian Dragos at Gradle Inc in #7350.
Other updates
java.net.URL
constructor by @xuwei-k in #7398updateSbtClassifiers
task by @azdrojowa123 in #7437packageSrc
to includemanagedSources
by @Friendseeker in #7470publisher
setting by @Tammo0987 in #7475buildTarget/javacOptions
by @adpi2 in #7352noOp
field in the compile report by @adpi2 in #7496v1.9.9
: 1.9.9Compare Source
Bug fixes
console
task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502UnsatisfiedLinkError
withstat
, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in https://github.com/sbt/io/pull/367Full Changelog: sbt/sbt@v1.9.8...v1.9.9
v1.9.8
: 1.9.8Compare Source
updates
IO.getModifiedOrZero
on Alpine etc, by using clibstat()
instead of non-standard__xstat64
abi by @bratkartoffel in https://github.com/sbt/io/pull/362updateSbtClassifiers
not downloading sources https://github.com/sbt/sbt/pull/7437 by @azdrojowa123Full Changelog: sbt/sbt@v1.9.7...v1.9.8
v1.9.7
: 1.9.7Compare Source
Highlights
IO.unzip
. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.Zip Slip (arbitrary file write) vulnerability
See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in
IO.unzip
code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.Given a specially crafted zip or JAR file,
IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:When executed on some path with six levels,
IO.unzip
could then overwrite a file under/root/
. sbt main usesIO.unzip
only inpullRemoteCache
andResolvers.remote
, however, many projects useIO.unzip(...)
directly to implement custom tasks and tests.Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.
Other updates and fixes
.sbtopts
support forsbt
runner script on Windows by @ptrdom in #7393scriptedSbt
key by @mdedetrich in #7383dependencyBrowseTree
log by @mkurz in #7396v1.9.6
: 1.9.6Compare Source
bug fix
Full Changelog: sbt/sbt@v1.9.5...v1.9.6
v1.9.5
: 1.9.5Compare Source
Update:⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704
highlights
-X
is passed toscalacOptions
zinc#1246 by @unkarjedyother updates
NumberFormatException
inCrossVersionUtil.binaryScalaVersion
lm#426 by @HelloKunalscripted
client/server instability on Windows #7087 by @mdedetrichsbt
launcher script bug on Windows #7365 by @JD557help
command on oldshell #7358 by @azdrojowa123allModuleReports
toUpdateReport
lm#428 by @mdedetrichnew contributors
Full Changelog: sbt/sbt@v1.9.4...v1.9.5
v1.9.4
: 1.9.4Compare Source
CVE-2022-46751
CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.
With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.
Other updates
sbt_script
lookup by replacing all spaces with%20
(not only the first one) in the path. by @arturaz in https://github.com/sbt/sbt/pull/7349conscriptConfigs
task, not used and needed(?) anymore by @mkurz in https://github.com/sbt/sbt/pull/7353sbt new
menu by @SethTisue in https://github.com/sbt/sbt/pull/7354new contributors
Full Changelog: sbt/sbt@v1.9.3...v1.9.4
v1.9.3
: 1.9.3Compare Source
Actionable diagnostics (aka quickfix)
Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.
sbt 1.9.3 adds a new interface called
AnalysisCallback2
to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with-deprecation
flag.This was contributed by Eugene Yokota (@eed3si9n) in zinc#1226. Special thanks to @lrytz for identifying this issue in zinc#1214.
other updates
Full Changelog: sbt/sbt@v1.9.2...v1.9.3
v1.9.2
: 1.9.2Compare Source
Fix
++
fall back to a bincompat Scala version by @eed3si9n in https://github.com/sbt/sbt/pull/7328Full Changelog: sbt/sbt@v1.9.1...v1.9.2
v1.9.1
: 1.9.1Compare Source
Change to Scala CLA
sbt 1.9.1 is the first release of sbt after changing to Scala CLA in #7306 etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.
Updates
publish / skip
is settrue
by @adpi2 in #7295sbtPluginPublishLegacyMavenStyle := false
by @adpi2 in #7286sbt console
being slow by @andrzejressel in #7280exportPipelining
key by @alexklibisz in #7291dependencyBrowseGraph
anddependencyDot
render in color by @sideeffffect in #7301. This can be opted-out usingdependencyDotNodeColors
setting.sbt new
default menu by @katlasik in #7300sbt new
default menu extensible viatemplateDescriptions
setting key andtemplateRunLocal
input key by @eed3si9n in #7304semanticdbVersion
to 4.7.8 by @ckipp01 in #7294Behind the scene
@tailrec
annotation by @xuwei-k in zinc#1209DEVELOPING.md
by @dongxuwang in #7299java.net.URL
constructor by @xuwei-k in #7315filter
towithFilter
where possible by @xuwei-k in #7317new contributors
Full Changelog: sbt/sbt@v1.9.0...v1.9.1
v1.9.0
: 1.9.0Compare Source
Changes with compatibility implications
IntegrationTest
configuration. See below.Deprecation of IntegrationTest configuration
sbt 1.9.0 deprecates
IntegrationTest
configuration. (RFC-3 proposes to deprecate general use of configuration axis beyondCompile
andTest
, and this is the first installment of the change.)The recommended migration path is to create a subproject named "integration", or "foo-integration" etc.
From the shell you can run:
Assuming these are slow tests compared to the regular tests, I might not aggregate them at all from other subprojects, and maybe only run it on CI, but it's up to you.
Why deprecate
IntegrationTest
?IntegrationTest
was a demoware for the idea of custom configuration axis, and now that we are planning to deprecate the mechanism to simplify sbt, we wanted to stop advertising it. We won't remove it during sbt 1.x series, but deprecation signals the non-recommendation status.This was contributed by @eed3si9n and @mdedetrich in [lm#414][lm414]/[#7261][7261].
POM consistency of sbt plugin publishing
sbt 1.9.0 publishes sbt plugin to Maven repository in a POM-consistent way. sbt has been publishing POM file of sbt plugins as
sbt-something-1.2.3.pom
even though the artifact URL is suffixed assbt-something_2.12_1.0
. This allowed "sbt-something" to be registered by Maven Central, allowing search. However, as more plugins moved to Maven Central, it was considered that keeping POM consisntency rule was more important, especially for corporate repositories to proxy them.sbt 1.9.0 will publish using both the conventional POM-inconsistent style and POM-consistent style so prior sbt releases can still consume the plugin. However, this can be opted-out using
sbtPluginPublishLegacyMavenStyle
setting.This fix was contributed by Adrien Piquerez (@adpi2) at Scala Center in [coursier#2633][coursier2633], [sbt#7096][7096] etc. Special thanks to William Narmontas ([@ScalaWilliam][@ScalaWilliam]) and Wudong Liu ([@wudong][@wudong]) whose experimental plugin sbt-vspp paved the way for this feature.
sbt new
, a text-based adventuresbt 1.9.0 adds text-based menu when
sbt new
orsbt init
is called without arguments:Unlike Giter8,
.local
template createsbuild.sbt
etc in the current directory, and reboots into an sbt session.This was contributed by Eugene Yokota (@eed3si9n) in [#7228][7228].
Actionable diagnostics steps
sbt 1.9.0 adds
actions
toProblem
, allowing the compiler to suggest code edits as part of the compiler warnings and errors in a structual manner.See Roadmap for actionable diagnostics for more details. The changes were contributed by @ckipp01 in #7242 and @eed3si9n in bsp#527/#7251/zinc#1186 etc.
releaseNotesURL
settingsbt 1.9.0 adds
releaseNotesURL
setting, which createsinfo.releaseNotesUrl
property in the POM file. This will then be used by Scala Steward. SeeAdd release notes URLs to your POMs for details.
This was contributed by Arman Bilge in [lm#410][lm410].
Other updates
libraryDependencySchemes
not overridingassumedVersionScheme
[lm#415][lm415] by [@adriaanm][@adriaanm]RunProfiler
available by [@dragos][@dragos] in [#7215][7215]publishLocal / skip
work by @mdedetrich in [#7165][7165]-Vdebug
by [@som-snytt][@som-snytt] in [zinc#1141][zinc1141]settings.xml
properties expansion by [@nrinaudo][@nrinaudo] in [lm#413][lm413]FileFilter.nothing
andFileFilter.everything
by @mdedetrich in [io#340][io340]Resolver.ApacheMavenSnapshotsRepo
by @mdedetrichjava.net.URL
constructor by @xuwei-k in [io#341][io341]LoggerContext
andTerminal
by @adpi2 in [#7191][7191]ClassFileManager
fromIncOptions
inIncremental.prune
by @lrytz in [zinc1148][zinc1148]Problem#diagnosticRelatedInforamation
by @ckipp01 in [#RConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.