Update dependency sbt/sbt to v1.9.9 - autoclosed #36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.2.6
->1.9.9
0.13.18
->1.9.9
Release Notes
sbt/sbt (sbt/sbt)
v1.9.9
: 1.9.9Compare Source
Bug fixes
console
task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502UnsatisfiedLinkError
withstat
, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in https://github.com/sbt/io/pull/367Full Changelog: sbt/sbt@v1.9.8...v1.9.9
v1.9.8
: 1.9.8Compare Source
updates
IO.getModifiedOrZero
on Alpine etc, by using clibstat()
instead of non-standard__xstat64
abi by @bratkartoffel in https://github.com/sbt/io/pull/362updateSbtClassifiers
not downloading sources https://github.com/sbt/sbt/pull/7437 by @azdrojowa123Full Changelog: sbt/sbt@v1.9.7...v1.9.8
v1.9.7
: 1.9.7Compare Source
Highlights
IO.unzip
. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.Zip Slip (arbitrary file write) vulnerability
See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in
IO.unzip
code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.Given a specially crafted zip or JAR file,
IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:When executed on some path with six levels,
IO.unzip
could then overwrite a file under/root/
. sbt main usesIO.unzip
only inpullRemoteCache
andResolvers.remote
, however, many projects useIO.unzip(...)
directly to implement custom tasks and tests.Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.
Other updates and fixes
.sbtopts
support forsbt
runner script on Windows by @ptrdom in #7393scriptedSbt
key by @mdedetrich in #7383dependencyBrowseTree
log by @mkurz in #7396v1.9.6
: 1.9.6Compare Source
bug fix
Full Changelog: sbt/sbt@v1.9.5...v1.9.6
v1.9.5
: 1.9.5Compare Source
Update:⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704
highlights
-X
is passed toscalacOptions
zinc#1246 by @unkarjedyother updates
NumberFormatException
inCrossVersionUtil.binaryScalaVersion
lm#426 by @HelloKunalscripted
client/server instability on Windows #7087 by @mdedetrichsbt
launcher script bug on Windows #7365 by @JD557help
command on oldshell #7358 by @azdrojowa123allModuleReports
toUpdateReport
lm#428 by @mdedetrichnew contributors
Full Changelog: sbt/sbt@v1.9.4...v1.9.5
v1.9.4
: 1.9.4Compare Source
CVE-2022-46751
CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.
With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.
Other updates
sbt_script
lookup by replacing all spaces with%20
(not only the first one) in the path. by @arturaz in https://github.com/sbt/sbt/pull/7349conscriptConfigs
task, not used and needed(?) anymore by @mkurz in https://github.com/sbt/sbt/pull/7353sbt new
menu by @SethTisue in https://github.com/sbt/sbt/pull/7354new contributors
Full Changelog: sbt/sbt@v1.9.3...v1.9.4
v1.9.3
: 1.9.3Compare Source
Actionable diagnostics (aka quickfix)
Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.
sbt 1.9.3 adds a new interface called
AnalysisCallback2
to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with-deprecation
flag.This was contributed by Eugene Yokota (@eed3si9n) in zinc#1226. Special thanks to @lrytz for identifying this issue in zinc#1214.
other updates
Full Changelog: sbt/sbt@v1.9.2...v1.9.3
v1.9.2
: 1.9.2Compare Source
Fix
++
fall back to a bincompat Scala version by @eed3si9n in https://github.com/sbt/sbt/pull/7328Full Changelog: sbt/sbt@v1.9.1...v1.9.2
v1.9.1
: 1.9.1Compare Source
Change to Scala CLA
sbt 1.9.1 is the first release of sbt after changing to Scala CLA in #7306 etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.
Updates
publish / skip
is settrue
by @adpi2 in #7295sbtPluginPublishLegacyMavenStyle := false
by @adpi2 in #7286sbt console
being slow by @andrzejressel in #7280exportPipelining
key by @alexklibisz in #7291dependencyBrowseGraph
anddependencyDot
render in color by @sideeffffect in #7301. This can be opted-out usingdependencyDotNodeColors
setting.sbt new
default menu by @katlasik in #7300sbt new
default menu extensible viatemplateDescriptions
setting key andtemplateRunLocal
input key by @eed3si9n in #7304semanticdbVersion
to 4.7.8 by @ckipp01 in #7294Behind the scene
@tailrec
annotation by @xuwei-k in zinc#1209DEVELOPING.md
by @dongxuwang in #7299java.net.URL
constructor by @xuwei-k in #7315filter
towithFilter
where possible by @xuwei-k in #7317new contributors
Full Changelog: sbt/sbt@v1.9.0...v1.9.1
v1.9.0
: 1.9.0Compare Source
Changes with compatibility implications
IntegrationTest
configuration. See below.Deprecation of IntegrationTest configuration
sbt 1.9.0 deprecates
IntegrationTest
configuration. (RFC-3 proposes to deprecate general use of configuration axis beyondCompile
andTest
, and this is the first installment of the change.)The recommended migration path is to create a subproject named "integration", or "foo-integration" etc.
From the shell you can run:
Assuming these are slow tests compared to the regular tests, I might not aggregate them at all from other subprojects, and maybe only run it on CI, but it's up to you.
Why deprecate
IntegrationTest
?IntegrationTest
was a demoware for the idea of custom configuration axis, and now that we are planning to deprecate the mechanism to simplify sbt, we wanted to stop advertising it. We won't remove it during sbt 1.x series, but deprecation signals the non-recommendation status.This was contributed by @eed3si9n and @mdedetrich in lm#414/#7261.
POM consistency of sbt plugin publishing
sbt 1.9.0 publishes sbt plugin to Maven repository in a POM-consistent way. sbt has been publishing POM file of sbt plugins as
sbt-something-1.2.3.pom
even though the artifact URL is suffixed assbt-something_2.12_1.0
. This allowed "sbt-something" to be registered by Maven Central, allowing search. However, as more plugins moved to Maven Central, it was considered that keeping POM consisntency rule was more important, especially for corporate repositories to proxy them.sbt 1.9.0 will publish using both the conventional POM-inconsistent style and POM-consistent style so prior sbt releases can still consume the plugin. However, this can be opted-out using
sbtPluginPublishLegacyMavenStyle
setting.This fix was contributed by Adrien Piquerez (@adpi2) at Scala Center in coursier#2633, sbt#7096 etc. Special thanks to William Narmontas (@ScalaWilliam) and Wudong Liu (@wudong) whose experimental plugin sbt-vspp paved the way for this feature.
sbt new
, a text-based adventuresbt 1.9.0 adds text-based menu when
sbt new
orsbt init
is called without arguments:Unlike Giter8,
.local
template createsbuild.sbt
etc in the current directory, and reboots into an sbt session.This was contributed by Eugene Yokota (@eed3si9n) in #7228.
Actionable diagnostics steps
sbt 1.9.0 adds
actions
toProblem
, allowing the compiler to suggest code edits as part of the compiler warnings and errors in a structual manner.See Roadmap for actionable diagnostics for more details. The changes were contributed by @ckipp01 in #7242 and @eed3si9n in bsp#527/#7251/zinc#1186 etc.
releaseNotesURL
settingsbt 1.9.0 adds
releaseNotesURL
setting, which createsinfo.releaseNotesUrl
property in the POM file. This will then be used by Scala Steward. SeeAdd release notes URLs to your POMs for details.
This was contributed by Arman Bilge in lm#410.
Other updates
libraryDependencySchemes
not overridingassumedVersionScheme
lm#415 by @adriaanmRunProfiler
available by @dragos in #7215publishLocal / skip
work by @mdedetrich in #7165-Vdebug
by @som-snytt in zinc#1141settings.xml
properties expansion by @nrinaudo in lm#413FileFilter.nothing
andFileFilter.everything
by @mdedetrich in io#340Resolver.ApacheMavenSnapshotsRepo
by @mdedetrichjava.net.URL
constructor by @xuwei-k in io#341LoggerContext
andTerminal
by @adpi2 in #7191ClassFileManager
fromIncOptions
inIncremental.prune
by @lrytz in zinc1148Problem#diagnosticRelatedInforamation
by @ckipp01 in #7241Behind the scene
sonatypeOssRepos
instead ofsonatypeRepo
by @yoshinorin in #7227v1.8.3
: 1.8.3Compare Source
Security fix
sbt.io.IO.withTemporaryFile
not limiting access on Unix-like systems in io#344/zinc#1185 by @eed3si9nIO.withTemporaryFile fix
sbt 1.8.3 fixes
sbt.io.IO.withTemporaryFile
etc not limiting access on Unix-like systems. Prior to this patch release, some functions were usingjava.io.File.createTempFile
, which does not set strict file permissions, as opposed to the NIO-equivalent that does.This means that on a shared Unix-like systems, build user or plugin's use of
sbt.io.IO.withTemporaryFile
etc would have exposed the information to other users.This issue was reported by Oleksandr Zolotko at IBM, and was fixed by Eugene Yokota (@eed3si9n) in io#344/zinc#1185.
Other updates
sbt 1.8.3 backports Zinc and IO fixes from 1.9.0-RC2 as well.
-Vdebug
by @som-snytt in zinc#1141java.net.URL
constructor by @xuwei-k in io#341ClassFileManager
fromIncOptions
inIncremental.prune
by @lrytz in zinc1148FileFilter.nothing
andFileFilter.everything
by @mdedetrich in io#340v1.8.2
: 1.8.2Compare Source
updates
v1.8.1
: 1.8.1Compare Source
Bug fixes
PATH
environment variable case insensitive by #7085 by @dos65Updates
New Contributors
Full Changelog: sbt/sbt@v1.8.0...v1.8.1
v1.8.0
: 1.8.0Compare Source
Security fixes
Changes with compatibility implications
Bug fixes
Other updates
-Dsbt.argsfile=false
orSBT_ARGSFILE
environment variable) #7010 by @easelbuildTarget/outputPaths
method of Build Server Protocol. #6985 by @povderNew Contributors
Full Changelog: sbt/sbt@v1.7.1...v1.8.0
v1.7.3
: 1.7.3Compare Source
updates
new contributors
Full Changelog: sbt/sbt@v1.7.2...v1.7.3
v1.7.2
: 1.7.2Compare Source
See https://github.com/sbt/sbt/releases/tag/v1.7.0 for the details on sbt 1.7.x.
testQuick
task #6903 by @gontard/tmp/.sbt/
collision for domain socket #7041 by @eed3si9ndependencyBrowseGraph
with sometimes missing node #6978 by @frosforeversbt new
by default to use Giter8 0.15.0 #7038 by @eed3si9ndiagnosticCode
anddiagnosticRelatedInforamation
(sic) toInterfaceUtil.problem(...)
#7006 by @ckipp01diagnosticCode
to BSP #6998 by @ckipp01v1.7.1
: 1.7.1Compare Source
See https://github.com/sbt/sbt/releases/tag/v1.7.0 for the details on sbt 1.7.x.
Bug fix
Full Changelog: sbt/sbt@v1.7.0...v1.7.1
v1.7.0
: 1.7.0Compare Source
Changes with compatibility implications
++
is stricter. See below.XDG_RUNTIME_DIR
and/tmp
#6887 by @AlonsoM45Resolver.sonatypeRepo
and addsResolver.sonatypeOssRepos
, which includes https://s01.oss.sonatype.org/ by @armanbilge in lm#393++
command updatesPrior to sbt 1.7
++ <sv> <command1>
filtered subprojects usingcrossScalaVersions
having the same ABI suffix as<sv>
. This behavior was generally not well understood, and also created incorrect result for Scala 3.x since++ 3.0.1 test
could downgrade subproject that may require 3.1 or above.sbt 1.7.0 fixes this by requiring
++ <sv> <command1>
so<sv>
part can be given as a semantic version selector expression, such as3.1.x
or2.13.x
. Note that the expression may match at most one Scala version to switch into. In sbt 1.7.0, a concrete version such as++ 3.0.1
equires exact version to be present incrossScalaVersion
.This contribution was a collaborated effort among Arnout Engelen #6894, Rui Gonçalves lm#400, and Eugene Yokota.
Scala 3 compiler error improvements
In zinc#1082, Toshiyuki Takahashi contributed a fix to ignore
Problem#rendered
passed from the compiler when sbt uses position mapper to transform the position. This is aimed at fixing the error reporting for Play on Scala 3.In #6874, Chris Kipp extended
xsbti.Problem
to track richer information available in Scala 3. This is aimed at enhancing the compilation errors reported to BSP client such as Metals.BSP updates
build/publishDiagnostics
in BSP #6847/#6929 by @tanishiking and @kpodsiadOther updates
/tmp
ipc#23 by @eed3si9n-a="b c"
pattern #6816 by @Nirvikalpa108ThisBuild / includePluginResolvers
#6849 by @bjaglinproxyInputStream#available
, which affected sbt-sitepreviewSite
#6965 by @eed3si9nv1.6.2
: 1.6.2Compare Source
readLine
catchingInterruptedException
#6803 by @tpetillotsbt --help
by removing unimplemented-S-X
option #6799 by @Nirvikalpa108License
sbt 1.6.2 adds
License
object that defines predefined license values:Predefined values are
License.Apache2
,License.MIT
,License.CC0
, andLicense.GPL3_or_later
. lm#395 by @eed3si9nv1.6.1
: 1.6.1Compare Source
v1.6.0
: 1.6.0Compare Source
Changes with compatibility implications
build.sbt
is updated to Scala 2.12.15, which improves the compatibility with JDK 17+. The metabuild is compiled with-Xsource:3
flag #6664 by @Nirvikalpa108 + @eed3si9nsbt.TrapExit
is dropped due to Security Manager being deprecated in JDK 17. Callingsys.exit
inrun
ortest
would shutdown the sbt session. Use forking to prevent it #6665 by @eed3si9nSBT_CREDENTIALS
environment variable, following sbt launcher #6724 by @daddykotexBSP improvements
.sbtopts
not getting picked up when sbt server is started by Metals #6593 by @adpi2java
is not onPATH
#6576 by @github-samuel-clarencbuildTarget/cleanCache
, which fixes IntelliJrebuild
#6638 by @hmemcpybuild/taskProgress
notifications #6642 by @hmemcpysbtn
buffer not printing out all the outputs on system out #6703 by @adpi2<macro>
, which are occasionally returned by the compiler [#6730][6730] by @eed3si9nsbt shutdownall
to shutdown all sbt server instances #6697 by @er1csbt --no-server
to not start the server or use a virtual terminal [#6728][6728] by @eed3si9nZinc improvements
Analysis
file [zinc#995][zinc995] by @dwijnandRemote caching improvements
sbt 1.6.0 improves remote caching of
resources
directory by virtualizing the internal sync state (copy-resources.txt
). This allows incrementalresource
directory synching to be resumed from the remote cache, similar to how Zinc has been able to resume incremental compilation from the remote cache. This was contributed by Amina Adewusi (@Nirvikalpa108) as #6611.Dependency tree improvements
dependencyTree
to useasciiGraphWidth
setting 6693 by @kijukydependencyBrowseTree
#6675 by @nimatruewaydependencyBrowseTree
to use Contraband data types instead ofscala.util.parsing.json
#6699 by @Nirvikalpa108Other updates
scalaVersion
[#6753][6753] by @eed3si9nClassCastException
inXMainConfiguration
#6649 by @eed3si9nscalaInstanceTopLoader
tocompileBase
settings #6480 by @adpi2crossSbtVersions
included intolintBuild
#6656 by @Nirvikalpa108realpathish
function insbt
runner script #6641 by @darabosConfigRef
to reduce heap usage [lm#390][lm390] by @eed3si9nscripted / javaHome
#6673 by @kxbmapmaven.repo.local
system property configures local Maven repository [lm#391][lm391] by @peter-janssenConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.