Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.9.7
->1.10.3
Release Notes
sbt/sbt (sbt)
v1.10.3
: 1.10.3Compare Source
Protobuf with potential Denial of Service (CVE-2024-7254)
sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @gabrieljones and was fixed by Jerry Tan (@Friendseeker) in zinc#1443.
@adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @Friendseeker in https://github.com/sbt/sbt/pull/7746.
Reverting the invalidation of circular-dependent sources
sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.
There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after
clean
. The root cause of these bugs were identified by @smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @Friendseeker to be partial compilation of circular-dependent sources where two sourcesA.scala
andB.scala
use some constructs from each other.sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if
A.scala
was changed, it would immediately invalidateB.scala
. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@lihaoyi) in https://github.com/sbt/zinc/pull/1462.Improvement: ParallelGzipOutputStream
sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of
ParallelGzipOutputStream
, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that thescala.concurrent.Future
-based implementation gets stuck in a deadlock. @Ichoran and @Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.bug fixes and updates
sbt init
template deps by @xuwei-k in #7730behind the scene
System.runFinalization
by @Friendseeker in https://github.com/sbt/sbt/pull/7732Thread.getId
by @Friendseeker in https://github.com/sbt/sbt/pull/7733vscode-sbt-scala
from build.sbt by @Friendseeker in https://github.com/sbt/sbt/pull/7728Full Changelog: sbt/sbt@v1.10.2...v1.10.3
v1.10.2
: 1.10.2Compare Source
Changes with compatibility implications
_sbt2_3
suffix for sbt 2.x by @eed3si9n in https://github.com/sbt/sbt/pull/7671Updates and bug fixes
serverIdleTimeOut
toserverIdleTimeout
to match the variable name by @lervag in https://github.com/sbt/sbt/pull/7651scala.reflect.io.Streamable
by @rochala in https://github.com/sbt/zinc/pull/1395Optional
inter-project dependency in BSP by @adpi2 in https://github.com/sbt/sbt/pull/7568build.properties
by @invadergir in https://github.com/sbt/sbt/pull/7585scala-tools-releases
inrepositories
file blocking sbt from launching by @eed3si9n in https://github.com/sbt/launcher/pull/104ThreadDeath
for future JDK compatibility by @xuwei-k in https://github.com/sbt/sbt/pull/7652ZipError
for future JDK compatibility by @eed3si9n in https://github.com/sbt/zinc/pull/1393Behind the scenes
dependency-management/force-update-period
test (backport of #7538) by @adpi2 in https://github.com/sbt/sbt/pull/7567New contributors
Full Changelog: sbt/sbt@v1.10.0...v1.10.2
v1.10.1
: 1.10.1Compare Source
bug fixes and updates
expandMavenSettings
by @desbo in https://github.com/sbt/librarymanagement/pull/444Map
andLList
in sjson-new 0.10.1 by @steinybot + @eed3si9n in https://github.com/eed3si9n/sjson-new/pull/142forceUpdatePeriod
by @adpi2 in https://github.com/sbt/sbt/pull/7567Optional
inter-project dependencies by @adpi2 in https://github.com/sbt/sbt/pull/7568jcenter
andscala-tools-releases
entries in the~/.sbt/repositories
file by @eed3si9n in https://github.com/sbt/launcher/pull/104behind the scenes
Full Changelog: sbt/sbt@v1.10.0...v1.10.1
v1.10.0
: 1.10.0Compare Source
Changes with compatibility implications
scalaVersion
can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.SIP-51 Support for Scala 2.13 Evolution
Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:
Lukas has also contributed changes to sbt 1.10.0 to enforce stricter
scalaVersion
. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer thanscalaVersion
is found, it will fail the build as follows:When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):
Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected
scalaVersion
, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respectscalaVersion
to be the source-of-truth, but will reject bad ones at build time.This was contributed by Lukas Rytz in #7480.
Zinc fixes
IncOptions.useOptimizedSealed
not working for Scala 2.13 by @Friendseeker in zinc#1278ClassTag
instead ofManifest
by @xuwei-k in zinc#1265extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in zinc#1289extraHash
computation by @Friendseeker in zinc#1290@inline
methods in Scala 2.x by @Friendseeker in zinc#1310-Xshow-phases
handling by @Friendseeker in zinc#1314ConsistentAnalysisFormat: new Zinc Analysis serialization
sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:
Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:
This was contributed by Stefan Zeiger at Databricks in zinc#1326.
New CommandProgress API
sbt 1.10.0 adds a new CommandProgress API.
This was contributed by Iulian Dragos at Gradle Inc in #7350.
Other updates
java.net.URL
constructor by @xuwei-k in #7398updateSbtClassifiers
task by @azdrojowa123 in #7437packageSrc
to includemanagedSources
by @Friendseeker in #7470publisher
setting by @Tammo0987 in #7475buildTarget/javacOptions
by @adpi2 in #7352noOp
field in the compile report by @adpi2 in #7496v1.9.9
: 1.9.9Compare Source
Bug fixes
console
task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502UnsatisfiedLinkError
withstat
, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in https://github.com/sbt/io/pull/367Full Changelog: sbt/sbt@v1.9.8...v1.9.9
v1.9.8
: 1.9.8Compare Source
updates
IO.getModifiedOrZero
on Alpine etc, by using clibstat()
instead of non-standard__xstat64
abi by @bratkartoffel in https://github.com/sbt/io/pull/362updateSbtClassifiers
not downloading sources https://github.com/sbt/sbt/pull/7437 by @azdrojowa123Full Changelog: sbt/sbt@v1.9.7...v1.9.8
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.