sbt, the interactive build tool
console
task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502
UnsatisfiedLinkError
with stat
, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in https://github.com/sbt/io/pull/367
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.8...v1.9.9
IO.getModifiedOrZero
on Alpine etc, by using clib stat()
instead of non-standard __xstat64
abi by @bratkartoffel in https://github.com/sbt/io/pull/362
updateSbtClassifiers
not downloading sources https://github.com/sbt/sbt/pull/7437 by @azdrojowa123Full Changelog: https://github.com/sbt/sbt/compare/v1.9.7...v1.9.8
ClassTag
instead of Manifest
by @xuwei-k in https://github.com/sbt/zinc/pull/1265
extraHash
to propagate TraitPrivateMembersModified
across external dependency by @Friendseeker in https://github.com/sbt/zinc/pull/1289
extraHash
computation by @Friendseeker in https://github.com/sbt/zinc/pull/1290
buildTarget/javacOptions
by @adpi2 in https://github.com/sbt/sbt/pull/7352
.sbtopts
file and JAVA_TOOL_OPTIONS
environmental variable by @ptrdom in https://github.com/sbt/sbt/pull/7393
java.net.URL
constructor by @xuwei-k in https://github.com/sbt/sbt/pull/7398
updateSbtClassifiers
task by @azdrojowa123 in https://github.com/sbt/sbt/pull/7437
NoSuchMethodError
when call runFinalization
by @xuwei-k in https://github.com/sbt/sbt/pull/7399
dependencyBrowseTree
by @mkurz in https://github.com/sbt/sbt/pull/7396
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.6...v1.10.0-M1
IO.unzip
. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.See https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in IO.unzip
code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.
Given a specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
When executed on some path with six levels, IO.unzip
could then overwrite a file under /root/
. sbt main uses IO.unzip
only in pullRemoteCache
and Resolvers.remote
, however, many projects use IO.unzip(...)
directly to implement custom tasks and tests.
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order. This was contributed by @eed3si9n in #7404.
Updates Coursier to 2.1.7 by @regiskuckaertz in #7392
Fixes .sbtopts
support for sbt
runner script on Windows by @ptrdom in #7393
Adds documentation on scriptedSbt
key by @mdedetrich in #7383
Includes the URL in dependencyBrowseTree
log by @mkurz in #7396
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.5...v1.9.6
Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it. https://github.com/scala/bug/issues/12868#issuecomment-1720848704
-X
is passed to scalacOptions
zinc#1246 by @unkarjedy
NumberFormatException
in CrossVersionUtil.binaryScalaVersion
lm#426 by @HelloKunal
scripted
client/server instability on Windows #7087 by @mdedetrich
sbt
launcher script bug on Windows #7365 by @JD557
help
command on oldshell #7358 by @azdrojowa123
allModuleReports
to UpdateReport
lm#428 by @mdedetrich
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.4...v1.9.5
CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.
With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.
sbt_script
lookup by replacing all spaces with %20
(not only the first one) in the path. by @arturaz in https://github.com/sbt/sbt/pull/7349
conscriptConfigs
task, not used and needed(?) anymore by @mkurz in https://github.com/sbt/sbt/pull/7353
sbt new
menu by @SethTisue in https://github.com/sbt/sbt/pull/7354
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.3...v1.9.4
Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.
sbt 1.9.3 adds a new interface called AnalysisCallback2
to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with -deprecation
flag.
This was contributed by Eugene Yokota (@eed3si9n) in zinc#1226. Special thanks to @lrytz for identifying this issue in zinc#1214.
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.2...v1.9.3
++
fall back to a bincompat Scala version by @eed3si9n in https://github.com/sbt/sbt/pull/7328
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.1...v1.9.2
sbt 1.9.1 is the first release of sbt after changing to Scala CLA in #7306 etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.
publish / skip
is set true
by @adpi2 in #7295
sbtPluginPublishLegacyMavenStyle := false
by @adpi2 in #7286
sbt console
being slow by @andrzejressel in #7280
exportPipelining
key by @alexklibisz in #7291
dependencyBrowseGraph
and dependencyDot
render in color by @sideeffffect in #7301. This can be opted-out using dependencyDotNodeColors
setting.sbt new
default menu by @katlasik in #7300
sbt new
default menu extensible via templateDescriptions
setting key and templateRunLocal
input key by @eed3si9n in #7304
semanticdbVersion
to 4.7.8 by @ckipp01 in #7294
@tailrec
annotation by @xuwei-k in zinc#1209
DEVELOPING.md
by @dongxuwang in #7299
java.net.URL
constructor by @xuwei-k in #7315
filter
to withFilter
where possible by @xuwei-k in #7317
Full Changelog: https://github.com/sbt/sbt/compare/v1.9.0...v1.9.1