Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency sbt/sbt to v1.9.9 - autoclosed #36

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2023

Mend Renovate

This PR contains the following updates:

Package Update Change
sbt/sbt minor 1.2.6 -> 1.9.9
sbt/sbt major 0.13.18 -> 1.9.9

Release Notes

sbt/sbt (sbt/sbt)

v1.9.9: 1.9.9

Compare Source

Bug fixes

Full Changelog: sbt/sbt@v1.9.8...v1.9.9

v1.9.8: 1.9.8

Compare Source

updates

Full Changelog: sbt/sbt@v1.9.7...v1.9.8

v1.9.7: 1.9.7

Compare Source

Highlights
  • sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.
Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

v1.9.6: 1.9.6

Compare Source

bug fix

Full Changelog: sbt/sbt@v1.9.5...v1.9.6

v1.9.5: 1.9.5

Compare Source

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704

highlights

other updates

new contributors

Full Changelog: sbt/sbt@v1.9.4...v1.9.5

v1.9.4: 1.9.4

Compare Source

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@​adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

new contributors

Full Changelog: sbt/sbt@v1.9.3...v1.9.4

v1.9.3: 1.9.3

Compare Source

Actionable diagnostics (aka quickfix)

Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.

sbt 1.9.3 adds a new interface called AnalysisCallback2 to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with -deprecation flag.

This was contributed by Eugene Yokota (@​eed3si9n) in zinc#1226. Special thanks to @​lrytz for identifying this issue in zinc#1214.

other updates

Full Changelog: sbt/sbt@v1.9.2...v1.9.3

v1.9.2: 1.9.2

Compare Source

Fix

Full Changelog: sbt/sbt@v1.9.1...v1.9.2

v1.9.1: 1.9.1

Compare Source

Change to Scala CLA

sbt 1.9.1 is the first release of sbt after changing to Scala CLA in #​7306 etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.

Updates
Behind the scene

new contributors

Full Changelog: sbt/sbt@v1.9.0...v1.9.1

v1.9.0: 1.9.0

Compare Source

Changes with compatibility implications
  • Deprecates IntegrationTest configuration. See below.
  • Updates underlying Coursier to 2.1.2 by @​eed3si9n.
Deprecation of IntegrationTest configuration

sbt 1.9.0 deprecates IntegrationTest configuration. (RFC-3 proposes to deprecate general use of configuration axis beyond Compile and Test, and this is the first installment of the change.)

The recommended migration path is to create a subproject named "integration", or "foo-integration" etc.

lazy val integration = (project in file("integration"))
  .dependsOn(core) // your current subproject
  .settings(
    publish / skip := true,
    // test dependencies
    libraryDependencies += something % Test,
  )

From the shell you can run:

> integration/test

Assuming these are slow tests compared to the regular tests, I might not aggregate them at all from other subprojects, and maybe only run it on CI, but it's up to you.

Why deprecate IntegrationTest? IntegrationTest was a demoware for the idea of custom configuration axis, and now that we are planning to deprecate the mechanism to simplify sbt, we wanted to stop advertising it. We won't remove it during sbt 1.x series, but deprecation signals the non-recommendation status.

This was contributed by @​eed3si9n and @​mdedetrich in lm#414/#​7261.

POM consistency of sbt plugin publishing

sbt 1.9.0 publishes sbt plugin to Maven repository in a POM-consistent way. sbt has been publishing POM file of sbt plugins as sbt-something-1.2.3.pom even though the artifact URL is suffixed as sbt-something_2.12_1.0. This allowed "sbt-something" to be registered by Maven Central, allowing search. However, as more plugins moved to Maven Central, it was considered that keeping POM consisntency rule was more important, especially for corporate repositories to proxy them.

sbt 1.9.0 will publish using both the conventional POM-inconsistent style and POM-consistent style so prior sbt releases can still consume the plugin. However, this can be opted-out using sbtPluginPublishLegacyMavenStyle setting.

This fix was contributed by Adrien Piquerez (@​adpi2) at Scala Center in coursier#2633, sbt#7096 etc. Special thanks to William Narmontas (@​ScalaWilliam) and Wudong Liu (@​wudong) whose experimental plugin sbt-vspp paved the way for this feature.

sbt new, a text-based adventure

sbt 1.9.0 adds text-based menu when sbt new or sbt init is called without arguments:

$ sbt -Dsbt.version=1.9.0-RC2 init
....

Welcome to sbt new!
Here are some templates to get started:
 a) scala/toolkit.local               - Scala Toolkit (beta) by Scala Center and VirtusLab
 b) typelevel/toolkit.local           - Toolkit to start building Typelevel apps
 c) sbt/cross-platform.local          - A cross-JVM/JS/Native project
 d) scala/scala-seed.g8               - Scala 2 seed template
 e) playframework/play-scala-seed.g8  - A Play project in Scala
 f) playframework/play-java-seed.g8   - A Play project in Java
 g) scala-js/vite.g8                  - A Scala.JS + Vite project
 i) holdenk/sparkProjectTemplate.g8   - A Scala Spark project
 m) spotify/scio.g8                   - A Scio project
 n) disneystreaming/smithy4s.g8       - A Smithy4s project
 q) quit
Select a template (default: a):

Unlike Giter8, .local template creates build.sbt etc in the current directory, and reboots into an sbt session.

This was contributed by Eugene Yokota (@​eed3si9n) in #​7228.

Actionable diagnostics steps

sbt 1.9.0 adds actions to Problem, allowing the compiler to suggest code edits as part of the compiler warnings and errors in a structual manner.

See Roadmap for actionable diagnostics for more details. The changes were contributed by @​ckipp01 in #​7242 and @​eed3si9n in bsp#527/#​7251/zinc#1186 etc.

releaseNotesURL setting

sbt 1.9.0 adds releaseNotesURL setting, which creates info.releaseNotesUrl property in the POM file. This will then be used by Scala Steward. See
Add release notes URLs to your POMs
for details.

This was contributed by Arman Bilge in lm#410.

Other updates
Behind the scene

v1.8.3: 1.8.3

Compare Source

Security fix
IO.withTemporaryFile fix

sbt 1.8.3 fixes sbt.io.IO.withTemporaryFile etc not limiting access on Unix-like systems. Prior to this patch release, some functions were using java.io.File.createTempFile, which does not set strict file permissions, as opposed to the NIO-equivalent that does.

This means that on a shared Unix-like systems, build user or plugin's use of sbt.io.IO.withTemporaryFile etc would have exposed the information to other users.

This issue was reported by Oleksandr Zolotko at IBM, and was fixed by Eugene Yokota (@​eed3si9n) in io#344/zinc#1185.

Other updates

sbt 1.8.3 backports Zinc and IO fixes from 1.9.0-RC2 as well.

v1.8.2: 1.8.2

Compare Source

updates

v1.8.1: 1.8.1

Compare Source

Bug fixes

Updates

New Contributors

Full Changelog: sbt/sbt@v1.8.0...v1.8.1

v1.8.0: 1.8.0

Compare Source

Security fixes

  • Updates to Coursier 2.1.0-RC1 to address CVE-2022-37866
  • Updates to Ivy 2.3.0-sbt-a8f9eb5bf09d0539ea3658a2c2d4e09755b5133e to address CVE-2022-37866

Changes with compatibility implications

  • Updates to Scala 2.12.17 + Scala compiler 2.12.17, which upgrades to scala-xml 2.x #​7021

Bug fixes

Other updates

  • Adds long classpath support on JDK 9+ via argument file (opt out using -Dsbt.argsfile=false or SBT_ARGSFILE environment variable) #​7010 by @​easel
  • Adds out-of-box ZIO Test support #​7053 by @​987Nabil
  • Adds support for newly introduced buildTarget/outputPaths method of Build Server Protocol. #​6985 by @​povder

New Contributors

Full Changelog: sbt/sbt@v1.7.1...v1.8.0

v1.7.3: 1.7.3

Compare Source

updates

new contributors

Full Changelog: sbt/sbt@v1.7.2...v1.7.3

v1.7.2: 1.7.2

Compare Source

See https://github.com/sbt/sbt/releases/tag/v1.7.0 for the details on sbt 1.7.x.

v1.7.1: 1.7.1

Compare Source

See https://github.com/sbt/sbt/releases/tag/v1.7.0 for the details on sbt 1.7.x.

Bug fix

Full Changelog: sbt/sbt@v1.7.0...v1.7.1

v1.7.0: 1.7.0

Compare Source

Changes with compatibility implications
++ command updates

Prior to sbt 1.7 ++ <sv> <command1> filtered subprojects using crossScalaVersions having the same ABI suffix as <sv>. This behavior was generally not well understood, and also created incorrect result for Scala 3.x since ++ 3.0.1 test could downgrade subproject that may require 3.1 or above.

sbt 1.7.0 fixes this by requiring ++ <sv> <command1> so <sv> part can be given as a semantic version selector expression, such as 3.1.x or 2.13.x. Note that the expression may match at most one Scala version to switch into. In sbt 1.7.0, a concrete version such as ++ 3.0.1 equires exact version to be present in crossScalaVersion.

This contribution was a collaborated effort among Arnout Engelen #​6894, Rui Gonçalves lm#400, and Eugene Yokota.

Scala 3 compiler error improvements

In zinc#1082, Toshiyuki Takahashi contributed a fix to ignore Problem#rendered passed from the compiler when sbt uses position mapper to transform the position. This is aimed at fixing the error reporting for Play on Scala 3.

In #​6874, Chris Kipp extended xsbti.Problem to track richer information available in Scala 3. This is aimed at enhancing the compilation errors reported to BSP client such as Metals.

BSP updates
Other updates

v1.6.2: 1.6.2

Compare Source

License

sbt 1.6.2 adds License object that defines predefined license values:

licenses := List(License.Apache2)

Predefined values are License.Apache2, License.MIT, License.CC0, and License.GPL3_or_later. lm#395 by @​eed3si9n

v1.6.1: 1.6.1

Compare Source

v1.6.0: 1.6.0

Compare Source

Changes with compatibility implications
BSP improvements
Zinc improvements
  • Fixes under-compilation of folded constants (see also [SI-7173][SI-7173]) [zinc@d15228][zincd15228]/[zinc#1003][zinc1003] by @​ephemerist and @​dwijnand
  • Fixes over-compilation of extended classes on JDK 11 [zinc#998][zinc998] by @​lrytz
  • Improves performance of loading used names from persisted Analysis file [zinc#995][zinc995] by @​dwijnand
  • Fixes hashing of large files [zinc#1018][zinc1018] by @​niktrop
Remote caching improvements

sbt 1.6.0 improves remote caching of resources directory by virtualizing the internal sync state (copy-resources.txt). This allows incremental resource directory synching to be resumed from the remote cache, similar to how Zinc has been able to resume incremental compilation from the remote cache. This was contributed by Amina Adewusi (@​Nirvikalpa108) as #​6611.

Dependency tree improvements
Other updates

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@ghost
Copy link

ghost commented Mar 24, 2023

👇 Click on the image for a new way to code review

Review these changes using an interactive CodeSee Map

Legend

CodeSee Map legend

@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch 2 times, most recently from 8b01c51 to cd951b9 Compare March 25, 2023 02:46
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from cd951b9 to bb1cdae Compare May 12, 2023 10:38
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.8.2 Update dependency sbt/sbt to v1.8.3 May 12, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from bb1cdae to 22a9d8e Compare June 2, 2023 15:54
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.8.3 Update dependency sbt/sbt to v1.9.0 Jun 2, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 22a9d8e to a2b1d4f Compare June 26, 2023 08:50
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.0 Update dependency sbt/sbt to v1.9.1 Jun 26, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from a2b1d4f to 128831f Compare July 10, 2023 05:02
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.1 Update dependency sbt/sbt to v1.9.2 Jul 10, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 128831f to cb37a24 Compare July 24, 2023 07:49
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.2 Update dependency sbt/sbt to v1.9.3 Jul 24, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from cb37a24 to 67bf92f Compare August 25, 2023 03:47
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.3 Update dependency sbt/sbt to v1.9.4 Aug 25, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 67bf92f to 37bac36 Compare September 14, 2023 05:22
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.4 Update dependency sbt/sbt to v1.9.5 Sep 14, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 37bac36 to 1496e50 Compare September 15, 2023 19:08
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.5 Update dependency sbt/sbt to v1.9.6 Sep 15, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 1496e50 to 5d26f50 Compare October 23, 2023 00:19
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.6 Update dependency sbt/sbt to v1.9.7 Oct 23, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 5d26f50 to 11256b5 Compare December 14, 2023 19:54
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.7 Update dependency sbt/sbt to v1.9.8 Dec 14, 2023
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 11256b5 to 01e195b Compare February 23, 2024 07:36
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.8 Update dependency sbt/sbt to v1.9.9 Feb 23, 2024
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.9.9 Update dependency sbt/sbt to v1.9.9 - autoclosed Mar 7, 2024
@renovate renovate bot closed this Mar 7, 2024
@renovate renovate bot deleted the renovate/sbt-sbt-1.x branch March 7, 2024 05:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants