Sbt Versions Save

sbt, the interactive build tool

v1.9.9

2 months ago

Bug fixes

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.8...v1.9.9

v1.9.8

4 months ago

updates

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.7...v1.9.8

v1.10.0-M1

4 months ago

Zinc fixes

updates

behind the scene

new contributors

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.6...v1.10.0-M1

v1.9.7

6 months ago

Highlights

  • sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order. This was contributed by @eed3si9n in #7404.

Other updates and fixes

v1.9.6

7 months ago

bug fix

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.5...v1.9.6

v1.9.5

7 months ago

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it. https://github.com/scala/bug/issues/12868#issuecomment-1720848704

highlights

other updates

new contributors

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.4...v1.9.5

v1.9.4

7 months ago

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

new contributors

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.3...v1.9.4

v1.9.3

8 months ago

Actionable diagnostics (aka quickfix)

Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.

sbt 1.9.3 adds a new interface called AnalysisCallback2 to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with -deprecation flag.

This was contributed by Eugene Yokota (@eed3si9n) in zinc#1226. Special thanks to @lrytz for identifying this issue in zinc#1214.

other updates

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.2...v1.9.3

v1.9.2

9 months ago

Fix

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.1...v1.9.2

v1.9.1

9 months ago

Change to Scala CLA

sbt 1.9.1 is the first release of sbt after changing to Scala CLA in #7306 etc. A number of contributors to sbt voiced concerns about donating our work to Lightbend after 2022, and Lightbend, Scala Center, and I agreed on changing the contributor license agreement such that the copyright would tranfer to Scala Center, a non-profit organization. sbt and its subcompoments, including Zinc, will remain available under Apache v2 license.

Updates

  • Fixes "Repository for publishing is not specified" error even when publish / skip is set true by @adpi2 in #7295
  • Fixes scripted test not working when sbtPluginPublishLegacyMavenStyle := false by @adpi2 in #7286
  • Fixes copy-pasting to sbt console being slow by @andrzejressel in #7280
  • Fixes missing range in BSP Diagnostic by @adpi2 in #7298
  • Fixes zip64 offset writing by @dwijnand in zinc#1206
  • Fixes a typo in the description of exportPipelining key by @alexklibisz in #7291
  • dependencyBrowseGraph and dependencyDot render in color by @sideeffffect in #7301. This can be opted-out using dependencyDotNodeColors setting.
  • Adds softwaremill/tapir.g8 to sbt new default menu by @katlasik in #7300
  • Makes sbt new default menu extensible via templateDescriptions setting key and templateRunLocal input key by @eed3si9n in #7304
  • Adds Hedgehog Scala to default test framework by @kevin-lee in #7287
  • Updates semanticdbVersion to 4.7.8 by @ckipp01 in #7294
  • Updates JNA to 5.13.0 by @xuwei-k in io#346
  • Updates Scala 2.13 for Zinc etc to 2.13.11 by @mkurz in #7279
  • Updates sbtn to 1.9.0 by @mkurz in #7290
  • Updates Scala Toolkit to 0.2.0 by @eed3si9n in #7318

Behind the scene

new contributors

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.0...v1.9.1