Skip to content

Releases: sbt/sbt

1.10.0-RC2

15 Apr 05:48
@eed3si9n eed3si9n
v1.10.0-RC2
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
b1a43f9
Compare
Choose a tag to compare
1.10.0-RC2 Pre-release
Pre-release

Changes since sbt 1.10.0-RC1

  • ConsistentAnalysisFormat is enabled by default.
  • Updates to SIP-51 error message.

Changes with compatibility implications

  • For SIP-51 support, scalaVersion can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.
  • Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #7513.
  • Updates Jsch to mwiede/jsch fork by @azolotko in lm#436
  • Updates the Scala version used by sbt 1.x to 2.12.19 by @SethTisue in #7516.

SIP-51 Support for Scala 2.13 Evolution

Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:

I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.

Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion is found, it will fail the build as follows:

sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.

When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):

ThisBuild / scalaVersion := "2.13.10"

Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion to be the source-of-truth, but will reject bad ones at build time.

This was contributed by Lukas Rytz in #7480.

Zinc fixes

ConsistentAnalysisFormat: new Zinc Analysis serialization

sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:

Write time Read time File size
sbt Text 1002 ms 791 ms ~ 7102 kB
sbt Binary 654 ms 277 ms ~ 6182 kB
ConsistentBinary 157 ms 100 ms 3097 kB

Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:

Global / enableConsistentCompileAnalysis := false

This was contributed by Stefan Zeiger at Databricks in zinc#1326.

New CommandProgress API

sbt 1.10.0 adds a new CommandProgress API.

This was contributed by Iulian Dragos at Gradle Inc in #7350.

Other updates

Assets 2

1.10.0-RC1

09 Apr 06:56
@eed3si9n eed3si9n
v1.10.0-RC1
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
4c642e6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
1.10.0-RC1 Pre-release
Pre-release

Changes with compatibility implications

  • For SIP-51 support, scalaVersion can no longer be a lower 2.13.x version number than its transitive dependencies. See below for details.
  • Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #7513.
  • Updates Jsch to mwiede/jsch fork by @azolotko in lm#436
  • Updates the Scala version used by sbt 1.x to 2.12.19 by @SethTisue in #7516.

SIP-51 Support for Scala 2.13 Evolution

Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:

I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.

Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion is found, it will fail the build as follows:

sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) `foo/scalaVersion` needs to be upgraded to 2.13.10. To support backwards-only
[error] binary compatibility (SIP-51), the Scala compiler cannot be older than scala-library on the
[error] dependency classpath. See `foo/evicted` why scala-library was upgraded from 2.13.5 to 2.13.10.

When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):

ThisBuild / scalaVersion := "2.13.10"

Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion to be the source-of-truth, but will reject bad ones at build time.

This was contributed by Lukas Rytz in #7480.

Zinc fixes

ConsistentAnalysisFormat: new Zinc Analysis serialization

sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Note: We missed this for RC-1. We will adopt this in RC-2.

This was contributed by Stefan Zeiger in zinc#1326.

New CommandProgress API

sbt 1.10.0 adds a new CommandProgress API.

This was contributed by @dragos in #7350.

Other updates

new contributors

Full Changelog: v1.9.9...v1.10.0-RC1

Contributors

lrytz, dragos, and 7 other contributors
Assets 2

1.9.9

23 Feb 05:52
@eed3si9n eed3si9n
v1.9.9
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
f672cb8
Compare
Choose a tag to compare
1.9.9 Latest
Latest

Bug fixes

  • To fix console task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in #7503 / #7502
  • To fix sbt 1.9.8's UnsatisfiedLinkError with stat, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in sbt/io#367

Full Changelog: v1.9.8...v1.9.9

Contributors

eed3si9n and hvesalai
Assets 11

1.9.8

14 Dec 04:22
@eed3si9n eed3si9n
v1.9.8
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
374f5ba
Compare
Choose a tag to compare
1.9.8

updates

  • Fixes IO.getModifiedOrZero on Alpine etc, by using clib stat() instead of non-standard __xstat64 abi by @bratkartoffel in sbt/io#362
  • As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @hvesalai in #7420
  • Backports fix for updateSbtClassifiers not downloading sources #7437 by @azdrojowa123
  • Backports missing logger methods that take Java Supplier #7447 by @mkurz

Full Changelog: v1.9.7...v1.9.8

Contributors

mkurz, hvesalai, and 2 other contributors
Assets 11

1.10.0-M1

07 Dec 07:42
@eed3si9n eed3si9n
v1.10.0-M1
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
2d974be
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.10.0-M1 Pre-release
Pre-release

Zinc fixes

updates

behind the scene

new contributors

Full Changelog: v1.9.6...v1.10.0-M1

Contributors

dragos, eed3si9n, and 13 other contributors
Assets 2

1.9.7

22 Oct 23:08
@eed3si9n eed3si9n
v1.9.7
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
25f2ea0
Compare
Choose a tag to compare
1.9.7

Highlights

  • sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.

Other updates and fixes

Assets 11

1.9.6

15 Sep 16:08
@eed3si9n eed3si9n
v1.9.6
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
ef8652f
Compare
Choose a tag to compare
1.9.6

bug fix

Full Changelog: v1.9.5...v1.9.6

Contributors

eed3si9n
Assets 11

1.9.5

14 Sep 05:21
@eed3si9n eed3si9n
v1.9.5
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
c532d7e
Compare
Choose a tag to compare
1.9.5

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
scala/bug#12868 (comment)

highlights

other updates

new contributors

Full Changelog: v1.9.4...v1.9.5

Contributors

JD557 and azdrojowa123
Assets 11

1.9.4

25 Aug 01:32
@eed3si9n eed3si9n
v1.9.4
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
cdaae3b
Compare
Choose a tag to compare
1.9.4

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

  • Fixes sbt_script lookup by replacing all spaces with %20 (not only the first one) in the path. by @arturaz in #7349
  • Fixes scala-debug-adapter#543: Maintain order of internal deps by @adpi2 in #7347
  • Removes conscriptConfigs task, not used and needed(?) anymore by @mkurz in #7353
  • Adds a Scala 3 seed to the sbt new menu by @SethTisue in #7354

new contributors

Full Changelog: v1.9.3...v1.9.4

Contributors

arturaz, SethTisue, and 2 other contributors
Assets 11

1.9.3

24 Jul 06:19
@eed3si9n eed3si9n
v1.9.3
This tag was signed with the committer’s verified signature.
eed3si9n eugene yokota
GPG key ID: 37890E298D9A2BFA
Learn about vigilant mode.
e1ffc2a
Compare
Choose a tag to compare
1.9.3

Actionable diagnostics (aka quickfix)

Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.

sbt 1.9.3 adds a new interface called AnalysisCallback2 to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with -deprecation flag.

This was contributed by Eugene Yokota (@eed3si9n) in zinc#1226. Special thanks to @lrytz for identifying this issue in zinc#1214.

other updates

  • Adds M1/M2/Aarch64 build of sbtn into the installer by @julienrf in #7329
  • Fixes scripted tests timing out after 5 minutes by @eed3si9n in #7336

Full Changelog: v1.9.2...v1.9.3

Contributors

eed3si9n and julienrf
Assets 11