Update dependency sbt/sbt to v1.9.9 - autoclosed

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	minor	1.3.8 -> 1.9.9

---

Release Notes

sbt/sbt (sbt/sbt)

v1.9.9: 1.9.9

Compare Source

Bug fixes

• To fix console task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @​hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502
• To fix sbt 1.9.8's UnsatisfiedLinkError with stat, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @​eed3si9n in https://github.com/sbt/io/pull/367

Full Changelog: sbt/sbt@v1.9.8...v1.9.9

v1.9.8: 1.9.8

Compare Source

updates

• Fixes IO.getModifiedOrZero on Alpine etc, by using clib stat() instead of non-standard __xstat64 abi by @​bratkartoffel in https://github.com/sbt/io/pull/362
• As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @​hvesalai in https://github.com/sbt/sbt/pull/7420
• Backports fix for updateSbtClassifiers not downloading sources https://github.com/sbt/sbt/pull/7437 by @​azdrojowa123
• Backports missing logger methods that take Java Supplier https://github.com/sbt/sbt/pull/7447 by @​mkurz

Full Changelog: sbt/sbt@v1.9.7...v1.9.8

v1.9.7: 1.9.7

Compare Source

Highlights

• sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

• Updates Coursier to 2.1.7 by @​regiskuckaertz in #​7392
• Updates Swoval to 2.1.12 by @​eatkins in io#353.
• Fixes .sbtopts support for sbt runner script on Windows by @​ptrdom in #​7393
• Adds documentation on scriptedSbt key by @​mdedetrich in #​7383
• Includes the URL in dependencyBrowseTree log by @​mkurz in #​7396

v1.9.6: 1.9.6

Compare Source

bug fix

• sbt 1.9.6 reverts "internal representation of class symbol names" change (https://github.com/sbt/zinc/pull/1244), which caused Scala compiler to generate wrong anonymous class name by @​eed3si9n in https://github.com/sbt/zinc/pull/1256. See https://github.com/scala/bug/issues/12868 for more details.

Full Changelog: sbt/sbt@v1.9.5...v1.9.6

v1.9.5: 1.9.5

Compare Source

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704

highlights

• Switches to pre-compiled compiler bridge for Scala 2.13.12+ #​7374 by @​eed3si9n
• Fixes NPE when just -X is passed to scalacOptions zinc#1246 by @​unkarjedy

other updates

• Fixes internal representation of class symbol names zinc#1244 by @​dwijnand
• Fixes NumberFormatException in CrossVersionUtil.binaryScalaVersion lm#426 by @​HelloKunal
• Fixes scripted client/server instability on Windows #​7087 by @​mdedetrich
• Fixes sbt launcher script bug on Windows #​7365 by @​JD557
• Fixes help command on oldshell #​7358 by @​azdrojowa123
• Adds allModuleReports to UpdateReport lm#428 by @​mdedetrich
• Handles javac warning messages zinc#1228 by @​Arthurm1
• Enables inliner for Scala 2.13 compiler bridge zinc#1247 by @​mdedetrich

new contributors

• @​azdrojowa123 made their first contribution in https://github.com/sbt/sbt/pull/7358
• @​JD557 made their first contribution in https://github.com/sbt/sbt/pull/7367

Full Changelog: sbt/sbt@v1.9.4...v1.9.5

v1.9.4: 1.9.4

Compare Source

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@​adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

• Fixes sbt_script lookup by replacing all spaces with %20 (not only the first one) in the path. by @​arturaz in https://github.com/sbt/sbt/pull/7349
• Fixes scala-debug-adapter#543: Maintain order of internal deps by @​adpi2 in https://github.com/sbt/sbt/pull/7347
• Removes conscriptConfigs task, not used and needed(?) anymore by @​mkurz in https://github.com/sbt/sbt/pull/7353
• Adds a Scala 3 seed to the sbt new menu by @​SethTisue in https://github.com/sbt/sbt/pull/7354

new contributors

• @​arturaz made their first contribution in https://github.com/sbt/sbt/pull/7349

Full Changelog: sbt/sbt@v1.9.3...v1.9.4

v1.9.3: 1.9.3

Compare Source

Actionable diagnostics (aka quickfix)

Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.

sbt 1.9.3 adds a new interface called AnalysisCallback2 to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with -deprecation flag.

This was contributed by Eugene Yokota (@​eed3si9n) in zinc#1226. Special thanks to @​lrytz for identifying this issue in zinc#1214.

other updates

• Adds M1/M2/Aarch64 build of sbtn into the installer by @​julienrf in https://github.com/sbt/sbt/pull/7329
• Fixes scripted tests timing out after 5 minutes by @​eed3si9n in https://github.com/sbt/sbt/pull/7336

Full Changelog: sbt/sbt@v1.9.2...v1.9.3

v1.9.2: 1.9.2

Compare Source

Fix

• Let ++ fall back to a bincompat Scala version by @​eed3si9n in https://github.com/sbt/sbt/pull/7328

Full Changelog: sbt/sbt@v1.9.1...v1.9.2

v1.9.1: 1.9.1

Compare Source

Change to Scala CLA

sbt 1.9.1 is the first release of sbt after changing to Scala CLA in #​7306 etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.

Updates

• Fixes "Repository for publishing is not specified" error even when publish / skip is set true by @​adpi2 in #​7295
• Fixes scripted test not working when sbtPluginPublishLegacyMavenStyle := false by @​adpi2 in #​7286
• Fixes copy-pasting to sbt console being slow by @​andrzejressel in #​7280
• Fixes missing range in BSP Diagnostic by @​adpi2 in #​7298
• Fixes zip64 offset writing by @​dwijnand in zinc#1206
• Fixes a typo in the description of exportPipelining key by @​alexklibisz in #​7291
• dependencyBrowseGraph and dependencyDot render in color by @​sideeffffect in #​7301. This can be opted-out using dependencyDotNodeColors setting.
• Adds softwaremill/tapir.g8 to sbt new default menu by @​katlasik in #​7300
• Makes sbt new default menu extensible via templateDescriptions setting key and templateRunLocal input key by @​eed3si9n in #​7304
• Adds Hedgehog Scala to default test framework by @​kevin-lee in #​7287
• Updates semanticdbVersion to 4.7.8 by @​ckipp01 in #​7294
• Updates JNA to 5.13.0 by @​xuwei-k in io#346
• Updates Scala 2.13 for Zinc etc to 2.13.11 by @​mkurz in #​7279
• Updates sbtn to 1.9.0 by @​mkurz in #​7290
• Updates Scala Toolkit to 0.2.0 by @​eed3si9n in #​7318

Behind the scene

• Adds @tailrec annotation by @​xuwei-k in zinc#1209
• Updates Scala versions in scripted tests by @​xuwei-k in #​7312
• Many typo fixes by @​xuwei-k in #​7313
• Fixes Scaladoc warnings by @​xuwei-k in #​7314
• Typo fix in DEVELOPING.md by @​dongxuwang in #​7299
• Avoids deprecated java.net.URL constructor by @​xuwei-k in #​7315
• Refactors filter to withFilter where possible by @​xuwei-k in #​7317

new contributors

• @​andrzejressel made their first contribution in https://github.com/sbt/sbt/pull/7280
• @​kevin-lee made their first contribution in https://github.com/sbt/sbt/pull/7287
• @​alexklibisz made their first contribution in https://github.com/sbt/sbt/pull/7291
• @​dongxuwang made their first contribution in https://github.com/sbt/sbt/pull/7299
• @​katlasik made their first contribution in https://github.com/sbt/sbt/pull/7300

Full Changelog: sbt/sbt@v1.9.0...v1.9.1

v1.9.0: 1.9.0

Compare Source

Changes with compatibility implications

• Deprecates IntegrationTest configuration. See below.
• Updates underlying Coursier to 2.1.2 by @​eed3si9n.

Deprecation of IntegrationTest configuration

sbt 1.9.0 deprecates IntegrationTest configuration. (RFC-3 proposes to deprecate general use of configuration axis beyond Compile and Test, and this is the first installment of the change.)

The recommended migration path is to create a subproject named "integration", or "foo-integration" etc.

lazy val integration = (project in file("integration"))
  .dependsOn(core) // your current subproject
  .settings(
    publish / skip := true,
    // test dependencies
    libraryDependencies += something % Test,
  )

From the shell you can run:

> integration/test

Assuming these are slow tests compared to the regular tests, I might not aggregate them at all from other subprojects, and maybe only run it on CI, but it's up to you.

Why deprecate IntegrationTest? IntegrationTest was a demoware for the idea of custom configuration axis, and now that we are planning to deprecate the mechanism to simplify sbt, we wanted to stop advertising it. We won't remove it during sbt 1.x series, but deprecation signals the non-recommendation status.

This was contributed by @​eed3si9n and @​mdedetrich in lm#414/#​7261.

POM consistency of sbt plugin publishing

sbt 1.9.0 publishes sbt plugin to Maven repository in a POM-consistent way. sbt has been publishing POM file of sbt plugins as sbt-something-1.2.3.pom even though the artifact URL is suffixed as sbt-something_2.12_1.0. This allowed "sbt-something" to be registered by Maven Central, allowing search. However, as more plugins moved to Maven Central, it was considered that keeping POM consisntency rule was more important, especially for corporate repositories to proxy them.

sbt 1.9.0 will publish using both the conventional POM-inconsistent style and POM-consistent style so prior sbt releases can still consume the plugin. However, this can be opted-out using sbtPluginPublishLegacyMavenStyle setting.

This fix was contributed by Adrien Piquerez (@​adpi2) at Scala Center in coursier#2633, sbt#7096 etc. Special thanks to William Narmontas (@​ScalaWilliam) and Wudong Liu (@​wudong) whose experimental plugin sbt-vspp paved the way for this feature.

sbt new, a text-based adventure

sbt 1.9.0 adds text-based menu when sbt new or sbt init is called without arguments:

$ sbt -Dsbt.version=1.9.0-RC2 init
....

Welcome to sbt new!
Here are some templates to get started:
 a) scala/toolkit.local               - Scala Toolkit (beta) by Scala Center and VirtusLab
 b) typelevel/toolkit.local           - Toolkit to start building Typelevel apps
 c) sbt/cross-platform.local          - A cross-JVM/JS/Native project
 d) scala/scala-seed.g8               - Scala 2 seed template
 e) playframework/play-scala-seed.g8  - A Play project in Scala
 f) playframework/play-java-seed.g8   - A Play project in Java
 g) scala-js/vite.g8                  - A Scala.JS + Vite project
 i) holdenk/sparkProjectTemplate.g8   - A Scala Spark project
 m) spotify/scio.g8                   - A Scio project
 n) disneystreaming/smithy4s.g8       - A Smithy4s project
 q) quit
Select a template (default: a):

Unlike Giter8, .local template creates build.sbt etc in the current directory, and reboots into an sbt session.

This was contributed by Eugene Yokota (@​eed3si9n) in #​7228.

Actionable diagnostics steps

sbt 1.9.0 adds actions to Problem, allowing the compiler to suggest code edits as part of the compiler warnings and errors in a structual manner.

See Roadmap for actionable diagnostics for more details. The changes were contributed by @​ckipp01 in #​7242 and @​eed3si9n in bsp#527/#​7251/zinc#1186 etc.

releaseNotesURL setting

sbt 1.9.0 adds releaseNotesURL setting, which creates info.releaseNotesUrl property in the POM file. This will then be used by Scala Steward. See
Add release notes URLs to your POMs for details.

This was contributed by Arman Bilge in lm#410.

Other updates

• Updates Scala 2.13 cross build for Zinc to 2.13.10 to address CVE-2022-36944 by @​rhuddleston
• Updates underlying Scala to 2.12.18 for JDK 21-ea in #​7271 by @​eed3si9n.
• Fixes Zinc incremental compilation looping infinitely zinc#1182 by @​CarstonSchilds
• Fixes libraryDependencySchemes not overriding assumedVersionScheme lm#415 by @​adriaanm
• Fixes spurious whitespace in the runner script by @​keynmol in #​7134
• Makes RunProfiler available by @​dragos in #​7215
• Makes publishLocal / skip work by @​mdedetrich in #​7165
• Fixes NullPointerError under -Vdebug by @​som-snytt in zinc#1141
• Fixes Maven settings.xml properties expansion by @​nrinaudo in lm#413
• Adds FileFilter.nothing and FileFilter.everything by @​mdedetrich in io#340
• Adds Resolver.ApacheMavenSnapshotsRepo by @​mdedetrich
• Avoids deprecated java.net.URL constructor by @​xuwei-k in io#341
• Updates to Swoval 2.1.10 by @​eatkins in io#343
• Updates to sbt-giter8-resolver 0.16.2 by @​eed3si9n
• Fixes dead lock between LoggerContext and Terminal by @​adpi2 in #​7191
• Notifies ClassFileManager from IncOptions in Incremental.prune by @​lrytz in zinc1148
• Updates usage info for java-home in the runner script by @​liang3zy22 in #​7171
• Deprecates misspelled Problem#diagnosticRelatedInforamation by @​ckipp01 in #​7241
• Adds built-in support for weaver-cats test framework #​7263 by @​kubukoz

Behind the scene

• Replaces olafurpg/setup-scala with actions/setup-java by @​mzuehlke in #​7154
• Uses sonatypeOssRepos instead of sonatypeRepo by @​yoshinorin in #​7227

v1.8.3: 1.8.3

Compare Source

Security fix

• Fixes sbt.io.IO.withTemporaryFile not limiting access on Unix-like systems in io#344/zinc#1185 by @​eed3si9n

IO.withTemporaryFile fix

sbt 1.8.3 fixes sbt.io.IO.withTemporaryFile etc not limiting access on Unix-like systems. Prior to this patch release, some functions were using java.io.File.createTempFile, which does not set strict file permissions, as opposed to the NIO-equivalent that does.

This means that on a shared Unix-like systems, build user or plugin's use of sbt.io.IO.withTemporaryFile etc would have exposed the information to other users.

This issue was reported by Oleksandr Zolotko at IBM, and was fixed by Eugene Yokota (@​eed3si9n) in io#344/zinc#1185.

Other updates

sbt 1.8.3 backports Zinc and IO fixes from 1.9.0-RC2 as well.

• Fixes Zinc incremental compilation looping infinitely zinc#1182 by @​CarstonSchilds
• Fixes spurious whitespace in the runner script by @​keynmol in #​7134
• Fixes NullPointerError under -Vdebug by @​som-snytt in zinc#1141
• Avoids deprecated java.net.URL constructor by @​xuwei-k in io#341
• Updates to Swoval 2.1.10 by @​eatkins in io#343
• Notifies ClassFileManager from IncOptions in Incremental.prune by @​lrytz in zinc1148
• Adds FileFilter.nothing and FileFilter.everything by @​mdedetrich in io#340

v1.8.2: 1.8.2

Compare Source

updates

• Fixes M1/M2/Aarch64 Mac support by #​7120 by @​eed3si9n
• Fixes glibc 2.31/Debian 11/Ubuntu 20.04 compatibility #​7118 by @​eed3si9n

v1.8.1: 1.8.1

Compare Source

Bug fixes

• Fixes slf4j 2.x getting pulled into the metabuild #​7115 by @​eed3si9n
• Fixes BSP support on Windows by making PATH environment variable case insensitive by #​7085 by @​dos65

Updates

• Adds sbtn (GraalVM native client) for Linux on Aarch64 ipcsocket#33, #​7108 etc by @​mkurz and @​eed3si9n

New Contributors

• @​dos65 made their first contribution in https://github.com/sbt/sbt/pull/7085

Full Changelog: sbt/sbt@v1.8.0...v1.8.1

v1.8.0: 1.8.0

Compare Source

Security fixes

• Updates to Coursier 2.1.0-RC1 to address CVE-2022-37866
• Updates to Ivy 2.3.0-sbt-a8f9eb5bf09d0539ea3658a2c2d4e09755b5133e to address CVE-2022-37866

Changes with compatibility implications

• Updates to Scala 2.12.17 + Scala compiler 2.12.17, which upgrades to scala-xml 2.x #​7021

Bug fixes

• Fixes background job logging #​6992 by @​adpi2

Other updates

• Adds long classpath support on JDK 9+ via argument file (opt out using -Dsbt.argsfile=false or SBT_ARGSFILE environment variable) #​7010 by @​easel
• Adds out-of-box ZIO Test support #​7053 by @​987Nabil
• Adds support for newly introduced buildTarget/outputPaths method of Build Server Protocol. #​6985 by @​povder

New Contributors

• @​easel made their first contribution in https://github.com/sbt/sbt/pull/7010
• @​sashashura made their first contribution in https://github.com/sbt/sbt/pull/7023
• @​987Nabil made their first contribution in https://github.com/sbt/sbt/pull/7053

Full Changelog: sbt/sbt@v1.7.1...v1.8.0

v1.7.3: 1.7.3

Compare Source

updates

• Updates underlying Coursier from 2.1.0-M2 to 2.1.0-M7-18-g67daad6a9 (lm-coursier-shaded 2.0.12) by @​eed3si9n in https://github.com/sbt/sbt/pull/7060
• Sets up automatic release to to WinGet by @​vedantmgoyal2009 in https://github.com/sbt/sbt/pull/6981

new contributors

• @​vedantmgoyal2009 made their first contribution in https://github.com/sbt/sbt/pull/6981

Full Changelog: sbt/sbt@v1.7.2...v1.7.3

v1.7.2: 1.7.2

Compare Source

See https://github.com/sbt/sbt/releases/tag/v1.7.0 for the details on sbt 1.7.x.

• Fixes invalidation of incremental testQuick task #​6903 by @​gontard
• Fixes /tmp/.sbt/ collision for domain socket #​7041 by @​eed3si9n
• Adds workaround for dependencyBrowseGraph with sometimes missing node #​6978 by @​frosforever
• Updates sbt new by default to use Giter8 0.15.0 #​7038 by @​eed3si9n
• Updates launcher to support Scala 3 apps #​7035 by @​eed3si9n
• Adds diagnosticCode and diagnosticRelatedInforamation (sic) to InterfaceUtil.problem(...) #​7006 by @​ckipp01
• Forwards diagnosticCode to BSP #​6998 by @​ckipp01
• Improves log for not found remote cache #​6824 by @​gontard

v1.7.1: 1.7.1

Compare Source

See https://github.com/sbt/sbt/releases/tag/v1.7.0 for the details on sbt 1.7.x.

Bug fix

• Fixes Java incremental compilation, specifically parsing of annotations in class files of @​SethTisue in https://github.com/sbt/zinc/pull/1111

Full Changelog: sbt/sbt@v1.7.0...v1.7.1

v1.7.0: 1.7.0

Compare Source

Changes with compatibility implications

• ++ is stricter. See below.
• Drops OkHttp 3.x dependency lm#399 by @​eed3si9n
• Updates to Scala 2.12.16
• Moves domain socket location to XDG_RUNTIME_DIR and /tmp #​6887 by @​AlonsoM45
• Deprecates Resolver.sonatypeRepo and adds Resolver.sonatypeOssRepos, which includes https://s01.oss.sonatype.org/ by @​armanbilge in lm#393

++ command updates

Prior to sbt 1.7 ++ <sv> <command1> filtered subprojects using crossScalaVersions having the same ABI suffix as <sv>. This behavior was generally not well understood, and also created incorrect result for Scala 3.x since ++ 3.0.1 test could downgrade subproject that may require 3.1 or above.

sbt 1.7.0 fixes this by requiring ++ <sv> <command1> so <sv> part can be given as a semantic version selector expression, such as 3.1.x or 2.13.x. Note that the expression may match at most one Scala version to switch into. In sbt 1.7.0, a concrete version such as ++ 3.0.1 equires exact version to be present in crossScalaVersion.

This contribution was a collaborated effort among Arnout Engelen #​6894, Rui Gonçalves lm#400, and Eugene Yokota.

Scala 3 compiler error improvements

In zinc#1082, Toshiyuki Takahashi contributed a fix to ignore Problem#rendered passed from the compiler when sbt uses position mapper to transform the position. This is aimed at fixing the error reporting for Play on Scala 3.

In #​6874, Chris Kipp extended xsbti.Problem to track richer information available in Scala 3. This is aimed at enhancing the compilation errors reported to BSP client such as Metals.

BSP updates

• Fixes sbt sending cumulative build/publishDiagnostics in BSP #​6847/#​6929 by @​tanishiking and @​kpodsiad
• Adds optional framework field to the BSP response #​6830 by @​kpodsiad
• Adds BSP environment request support #​6858 by @​kpodsiad

Other updates

• Fixes under-compilation when Java annotation changes by @​SethTisue in zinc#1079
• Fixes ipcsocket JNI cleanup code deleting empty directories in /tmp ipc#23 by @​eed3si9n
• Fixes command argument parsing with quotes in -a="b c" pattern #​6816 by @​Nirvikalpa108
• Fixes ThisBuild / includePluginResolvers #​6849 by @​bjaglin
• Fixes watchOnTermination callbacks #​6870 by @​eatkins
• Fixes proxyInputStream#available, which affected sbt-site previewSite #​6965 by @​eed3si9n

v1.6.2: 1.6.2

Compare Source

• Fixes test framework loading failure not failing the build #​6806 by @​eed3si9n
• Fixes readLine catching InterruptedException #​6803 by @​tpetillot
• Fixes sbt --help by removing unimplemented -S-X option #​6799 by @​Nirvikalpa108

License

sbt 1.6.2 adds License object that defines predefined license values:

licenses := List(License.Apache2)

Predefined values are License.Apache2, License.MIT, License.CC0, and License.GPL3_or_later. lm#395 by @​eed3si9n

v1.6.1: 1.6.1

Compare Source

• sbt 1.6.1 updates log4j 2 to 2.17.1, which fixes a remote code execution vulnerability when attacker controls configuration (CVE-2021-44832) #​6765 by @​eed3si9n

v1.6.0: 1.6.0

Compare Source

Changes with compatibility implications

• Updates to log4j 2.17.0. See The state of the log4j CVE in the Scala ecosystem for details.
• The Scala version used to compile build.sbt is updated to Scala 2.12.15, which improves the compatibility with JDK 17+. The metabuild is compiled with -Xsource:3 flag #​6664 by @​Nirvikalpa108 + @​eed3si9n
• sbt.TrapExit is dropped due to Security Manager being deprecated in JDK 17. Calling sys.exit in run or test would shutdown the sbt session. Use forking to prevent it #​6665 by @​eed3si9n
• sbt 1.6.0 reads credentials from the file specified using SBT_CREDENTIALS environment variable, following sbt launcher #​6724 by @​daddykotex

BSP improvements

• Fixes .sbtopts not getting picked up when sbt server is started by Metals #​6593 by @​adpi2
• Fixes BSP IntelliJ import when java is not on PATH #​6576 by @​github-samuel-clarenc
• Implements BSP buildTarget/cleanCache, which fixes IntelliJ rebuild #​6638 by @​hmemcpy
• Implements BSP build/taskProgress notifications #​6642 by @​hmemcpy
• Improves BSP IntelliJ import by sending information about sbt server process failure #​6573 by @​github-samuel-clarenc
• Makes BSP requests robust to some target failures #​6609 by @​adpi2
• Sends BSP diagnostics and meaningful error message when reloading fails #​6566 by @​adpi2
• Fixes handling of sources in the base directory #​6701 by @​adpi2
• Fixes sbtn buffer not printing out all the outputs on system out #​6703 by @​adpi2
• Fixes infinite loop when server fails to load #​6707 by @​adpi2
• Fixes handling of fake position such as <macro>, which are occasionally returned by the compiler #​6730 by @​eed3si9n
• Adds sbt shutdownall to shutdown all sbt server instances #​6697 by @​er1c
• Adds sbt --no-server to not start the server or use a virtual terminal #​6728 by @​eed3si9n

Zinc improvements

• Fixes under-compilation of folded constants (see also [SI-7173][SI-7173]) [zinc@d15228][zincd15228]/[zinc#1003][zinc1003] by @​ephemerist and @​dwijnand
• Fixes over-compilation of extended classes on JDK 11 [zinc#998][zinc998] by @​lrytz
• Improves performance of loading used names from persisted Analysis file [zinc#995][zinc995] by @​dwijnand
• Fixes hashing of large files [zinc#1018][zinc1018] by @​niktrop

Remote caching improvements

sbt 1.6.0 improves remote caching of resources directory by virtualizing the internal sync state (copy-resources.txt). This allows incremental resource directory synching to be resumed from the remote cache, similar to how Zinc has been able to resume incremental compilation from the remote cache. This was contributed by Amina Adewusi (@​Nirvikalpa108) as #​6611.

Dependency tree improvements

• Fixes dependencyTree to use asciiGraphWidth setting 6693 by @​kijuky
• Fixes rendering cycles in dependencyBrowseTree #​6675 by @​nimatrueway
• Migrates dependencyBrowseTree to use Contraband data types instead of scala.util.parsing.json #​6699 by @​Nirvikalpa108

Other updates

• Updates to lm-coursier 2.0.9, which uses Coursier 2.1.0-M2. This fixes full Scala suffix getting incorrectly overwritten by scalaVersion [#​6753][6753] by @​eed3si9n
• Fixes tab completion of global keys #​6716 by @​eed3si9n
• Fixes shutdown hook error in timing report #​6630 by @​Nirvikalpa108
• Fixes ClassCastException in XMainConfiguration #​6649 by @​eed3si9n
• Moves scalaInstanceTopLoader to compileBase settings #​6480 by @​adpi2
• Fixes crossSbtVersions included into lintBuild #​6656 by @​Nirvikalpa108
• Fixes realpathish function in sbt runner script #​6641 by @​darabos
• Fixes repeated version numbers in eviction error [lm#386][lm386] by @​rtyley
• Flyweights ConfigRef to reduce heap usage [lm#390][lm390] by @​eed3si9n
• Adds Windows Java home selectors for JDK cross building #​6684 by @​kxbmap
• Makes scripted Java home configurable using scripted / javaHome #​6673 by @​kxbmap
• maven.repo.local system property configures local Maven repository [lm#391][lm391] by @​peter-janssen

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.