Update dependency sbt/sbt to v1.10.3

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	minor	1.9.3 -> 1.10.3

---

Release Notes

sbt/sbt (sbt/sbt)

v1.10.3: 1.10.3

Compare Source

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @​gabrieljones and was fixed by Jerry Tan (@​Friendseeker) in zinc#1443.

@​adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @​Friendseeker in https://github.com/sbt/sbt/pull/7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @​smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @​Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@​lihaoyi) in https://github.com/sbt/zinc/pull/1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @​Ichoran and @​Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.

bug fixes and updates

• deps: Updates metabuild Scala version to 2.12.20 by @​SethTisue in #​7636
• fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by @​Friendseeker in #​7695
• fix: Fixes transitive invalidation interfering with cycle stopping condition by @​Friendseeker in zinc#1397
• fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by @​adpi2 in lm#451
• fix: Fixes directory permission issue under a multi-user environment by @​eed3si9n in ipcsocket#43
• deps: Updates sbt init template deps by @​xuwei-k in #​7730
• Updates sbt runner to default to sbtn for sbt 2.x by @​eed3si9n in #​7775

behind the scene

• ci: Bump CI to JDK 21 by @​Friendseeker in https://github.com/sbt/sbt/pull/7760
• refactor: Remove deprecated System.runFinalization by @​Friendseeker in https://github.com/sbt/sbt/pull/7732
• refactor: Remove deprecated Thread.getId by @​Friendseeker in https://github.com/sbt/sbt/pull/7733
• refactor: Regenerate Contraband files by @​Friendseeker in https://github.com/sbt/sbt/pull/7764
• deps: Bump IO, ipc-socket, and launcher by @​eed3si9n in https://github.com/sbt/sbt/pull/7776
• deps: Zinc 1.10.3 by @​eed3si9n in https://github.com/sbt/sbt/pull/7781
• deps: lm 1.10.2 by @​eed3si9n in https://github.com/sbt/sbt/pull/7782
• ci: Set a default timeout for ci by @​nathanlao in https://github.com/sbt/sbt/pull/7766
• ci: Removes vscode-sbt-scala from build.sbt by @​Friendseeker in https://github.com/sbt/sbt/pull/7728
• ci: Adds dependabot setting for develop branch by @​xuwei-k in https://github.com/sbt/sbt/pull/7701

Full Changelog: sbt/sbt@v1.10.2...v1.10.3

v1.10.2: 1.10.2

Compare Source

Changes with compatibility implications

• Uses _sbt2_3 suffix for sbt 2.x by @​eed3si9n in https://github.com/sbt/sbt/pull/7671

Updates and bug fixes

• Fixes the attribute key name from serverIdleTimeOut to serverIdleTimeout to match the variable name by @​lervag in https://github.com/sbt/sbt/pull/7651
• Fixes incremental Scala-Java mixed compilation that produces JAR directly by @​adpi2 in https://github.com/sbt/zinc/pull/1377
• Fixes over-compilation when using a class directory as a library by @​adpi2 in https://github.com/sbt/zinc/pull/1382
• Perf: Copy bytes directly instead of using scala.reflect.io.Streamable by @​rochala in https://github.com/sbt/zinc/pull/1395
• Includes all sources and resources in source jar by @​jroper in https://github.com/sbt/sbt/pull/7630
• Fixes the handling of Optional inter-project dependency in BSP by @​adpi2 in https://github.com/sbt/sbt/pull/7568
• Trims spaces around k and v to tolerate extra whitespace in build.properties by @​invadergir in https://github.com/sbt/sbt/pull/7585
• Fixes legacy repositories like scala-tools-releases in repositories file blocking sbt from launching by @​eed3si9n in https://github.com/sbt/launcher/pull/104
• Fixes stale BSP diagnostics by @​SlowBrainDude in https://github.com/sbt/sbt/pull/7610
• Fixes scripted support for sbt 2.x by @​eed3si9n in https://github.com/sbt/sbt/pull/7672
• Avoids using ThreadDeath for future JDK compatibility by @​xuwei-k in https://github.com/sbt/sbt/pull/7652
• Avoids using ZipError for future JDK compatibility by @​eed3si9n in https://github.com/sbt/zinc/pull/1393

Behind the scenes

• Update to Zinc 1.10.2 by @​eed3si9n in https://github.com/sbt/sbt/pull/7674
• Update to lm 1.10.1 by @​eed3si9n in https://github.com/sbt/sbt/pull/7597
• Update to Launcher 1.4.3 by @​eed3si9n in https://github.com/sbt/sbt/pull/7598
• Update to the common Scala 2.12 version for the sbtn subproject by @​SlowBrainDude in https://github.com/sbt/sbt/pull/7605
• Note in dev docs on supported build time JDK version dependency by @​SlowBrainDude in https://github.com/sbt/sbt/pull/7606
• CI: Zinc default branch is 1.10.x by @​adpi2 in https://github.com/sbt/sbt/pull/7654
• Upgrade sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in https://github.com/sbt/sbt/pull/7555
• Update Scala 3 doc test by @​eed3si9n in https://github.com/sbt/sbt/pull/7619
• Bump scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in https://github.com/sbt/sbt/pull/7565
• Fixes dependency-management/force-update-period test (backport of #​7538) by @​adpi2 in https://github.com/sbt/sbt/pull/7567
• Fixes BuildServerTest by @​adpi2 in https://github.com/sbt/sbt/pull/7638

New contributors

• @​invadergir made their first contribution in https://github.com/sbt/sbt/pull/7585
• @​rochala made their first contribution in https://github.com/sbt/zinc/pull/1395
• @​SlowBrainDude made their first contribution in https://github.com/sbt/sbt/pull/7606
• @​lervag made their first contribution in https://github.com/sbt/sbt/pull/7651

Full Changelog: sbt/sbt@v1.10.0...v1.10.2

v1.10.1: 1.10.1

Compare Source

bug fixes and updates

• Fixes column/position information missing from the javac error messages in IntelliJ by @​vasilmkd in https://github.com/sbt/zinc/pull/1373
• Fixes backslash handling in expandMavenSettings by @​desbo in https://github.com/sbt/librarymanagement/pull/444
• Fixes JSON serialization of Map and LList in sjson-new 0.10.1 by @​steinybot + @​eed3si9n in https://github.com/eed3si9n/sjson-new/pull/142
• Fixes the hash code for empty files in the classpath cache by @​szeiger in https://github.com/sbt/zinc/pull/1366
• Fixes forceUpdatePeriod by @​adpi2 in https://github.com/sbt/sbt/pull/7567
• Fixes BSP handling of Optional inter-project dependencies by @​adpi2 in https://github.com/sbt/sbt/pull/7568
• Ignores jcenter and scala-tools-releases entries in the ~/.sbt/repositories file by @​eed3si9n in https://github.com/sbt/launcher/pull/104

behind the scenes

• Updates sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in https://github.com/sbt/sbt/pull/7555
• Updates scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in https://github.com/sbt/sbt/pull/7565

Full Changelog: sbt/sbt@v1.10.0...v1.10.1

v1.10.0: 1.10.0

Compare Source

Changes with compatibility implications

• For SIP-51 support, scalaVersion can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.
• ConsistentAnalysisFormat is enabled by default. See below for details.
• Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #​7513.
• Updates Jsch to mwiede/jsch fork by @​azolotko in lm#436
• Updates the Scala version used by sbt 1.x to 2.12.19 by @​SethTisue in #​7516.

SIP-51 Support for Scala 2.13 Evolution

Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:

I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.

Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion is found, it will fail the build as follows:

sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.

When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):

ThisBuild / scalaVersion := "2.13.10"

Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion to be the source-of-truth, but will reject bad ones at build time.

This was contributed by Lukas Rytz in #​7480.

Zinc fixes

• Fixes macro undercompilation by invalidating macro call sites when a type parameter changes by @​Friendseeker in zinc#1316
• Fixes macro undercompilation by invalidating macro source when its dependency changes by @​dwijnand in zinc#1282
• Fixes SAM type undercompilation by @​Friendseeker in zinc#1288
• Fixes infinite incremental loop when Scala and Java are involved by @​Friendseeker in zinc#1312
• Fixes overcompilation on default parameter changes by @​Friendseeker in zinc#1324
• Fixes IncOptions.useOptimizedSealed not working for Scala 2.13 by @​Friendseeker in zinc#1278
• Includes extra invalidations in initial validation to fix initial compilation error by @​Friendseeker in zinc#1284
• Refixes compact names without breaking local names by @​dwijnand in zinc#1259
• Undoes Protobuf workaround for build to work on Apple Silicon by @​Friendseeker in zinc#1277
• Uses ClassTag instead of Manifest by @​xuwei-k in zinc#1265
• Encodes parent trait private members in extraHash to propagate TraitPrivateMembersModified across external dependency by @​Friendseeker in zinc#1289
• Includes internal dependency in extraHash computation by @​Friendseeker in zinc#1290
• Deletes products of previous analysis when dropping previous analysis by @​Friendseeker in zinc#1293
• Uses the most up-to-date analysis for binary to source class name lookup by @​Friendseeker in zinc#1287
• Fixes inconsistent Analysis by removing source stamp caching by @​Friendseeker in zinc#1319
• Invalidate sources that depends on @inline methods in Scala 2.x by @​Friendseeker in zinc#1310
• Fixes -Xshow-phases handling by @​Friendseeker in zinc#1314

ConsistentAnalysisFormat: new Zinc Analysis serialization

sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:

	Write time	Read time	File size
sbt Text	1002 ms	791 ms	~ 7102 kB
sbt Binary	654 ms	277 ms	~ 6182 kB
ConsistentBinary	157 ms	100 ms	3097 kB

Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:

Global / enableConsistentCompileAnalysis := false

This was contributed by Stefan Zeiger at Databricks in zinc#1326.

New CommandProgress API

sbt 1.10.0 adds a new CommandProgress API.

This was contributed by Iulian Dragos at Gradle Inc in #​7350.

Other updates

• Updates to JLine 3.24.1 and JAnsi 2.4.1 by @​hvesalai/@​mazugrin in #​7419/#​7545
• Supports cross-build for external project ref by @​RustedBones in #​7389
• Avoids deprecated java.net.URL constructor by @​xuwei-k in #​7398
• Fixes bug of unmanagedResourceDirectories by @​minkyu97 in #​7178
• Fixes updateSbtClassifiers task by @​azdrojowa123 in #​7437
• Fixes packageSrc to include managedSources by @​Friendseeker in #​7470
• Fixes publishing to use the publisher specified using the publisher setting by @​Tammo0987 in #​7475
• Fixes eviction warning message by avoid repeating versions by @​rtyley in lm#433
• BSP: Implements buildTarget/javacOptions by @​adpi2 in #​7352
• BSP: Adds noOp field in the compile report by @​adpi2 in #​7496

v1.9.9: 1.9.9

Compare Source

Bug fixes

• To fix console task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @​hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502
• To fix sbt 1.9.8's UnsatisfiedLinkError with stat, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @​eed3si9n in https://github.com/sbt/io/pull/367

Full Changelog: sbt/sbt@v1.9.8...v1.9.9

v1.9.8: 1.9.8

Compare Source

updates

• Fixes IO.getModifiedOrZero on Alpine etc, by using clib stat() instead of non-standard __xstat64 abi by @​bratkartoffel in https://github.com/sbt/io/pull/362
• As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @​hvesalai in https://github.com/sbt/sbt/pull/7420
• Backports fix for updateSbtClassifiers not downloading sources https://github.com/sbt/sbt/pull/7437 by @​azdrojowa123
• Backports missing logger methods that take Java Supplier https://github.com/sbt/sbt/pull/7447 by @​mkurz

Full Changelog: sbt/sbt@v1.9.7...v1.9.8

v1.9.7: 1.9.7

Compare Source

Highlights

• sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

• Updates Coursier to 2.1.7 by @​regiskuckaertz in #​7392
• Updates Swoval to 2.1.12 by @​eatkins in io#353.
• Fixes .sbtopts support for sbt runner script on Windows by @​ptrdom in #​7393
• Adds documentation on scriptedSbt key by @​mdedetrich in #​7383
• Includes the URL in dependencyBrowseTree log by @​mkurz in #​7396

v1.9.6: 1.9.6

Compare Source

bug fix

• sbt 1.9.6 reverts "internal representation of class symbol names" change (https://github.com/sbt/zinc/pull/1244), which caused Scala compiler to generate wrong anonymous class name by @​eed3si9n in https://github.com/sbt/zinc/pull/1256. See https://github.com/scala/bug/issues/12868 for more details.

Full Changelog: sbt/sbt@v1.9.5...v1.9.6

v1.9.5: 1.9.5

Compare Source

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704

highlights

• Switches to pre-compiled compiler bridge for Scala 2.13.12+ #​7374 by @​eed3si9n
• Fixes NPE when just -X is passed to scalacOptions zinc#1246 by @​unkarjedy

other updates

• Fixes internal representation of class symbol names zinc#1244 by @​dwijnand
• Fixes NumberFormatException in CrossVersionUtil.binaryScalaVersion lm#426 by @​HelloKunal
• Fixes scripted client/server instability on Windows #​7087 by @​mdedetrich
• Fixes sbt launcher script bug on Windows #​7365 by @​JD557
• Fixes help command on oldshell #​7358 by @​azdrojowa123
• Adds allModuleReports to UpdateReport lm#428 by @​mdedetrich
• Handles javac warning messages zinc#1228 by @​Arthurm1
• Enables inliner for Scala 2.13 compiler bridge zinc#1247 by @​mdedetrich

new contributors

• @​azdrojowa123 made their first contribution in https://github.com/sbt/sbt/pull/7358
• @​JD557 made their first contribution in https://github.com/sbt/sbt/pull/7367

Full Changelog: sbt/sbt@v1.9.4...v1.9.5

v1.9.4: 1.9.4

Compare Source

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@​adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

• Fixes sbt_script lookup by replacing all spaces with %20 (not only the first one) in the path. by @​arturaz in https://github.com/sbt/sbt/pull/7349
• Fixes scala-debug-adapter#543: Maintain order of internal deps by @​adpi2 in https://github.com/sbt/sbt/pull/7347
• Removes conscriptConfigs task, not used and needed(?) anymore by @​mkurz in https://github.com/sbt/sbt/pull/7353
• Adds a Scala 3 seed to the sbt new menu by @​SethTisue in https://github.com/sbt/sbt/pull/7354

new contributors

• @​arturaz made their first contribution in https://github.com/sbt/sbt/pull/7349

Full Changelog: sbt/sbt@v1.9.3...v1.9.4

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.