Update dependency sbt/sbt to v1.10.1

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	minor	1.9.6 -> 1.10.1

---

Release Notes

sbt/sbt (sbt/sbt)

v1.10.1: 1.10.1

Compare Source

bug fixes and updates

• Fixes backslash handling in expandMavenSettings by @​desbo in https://github.com/sbt/librarymanagement/pull/444
• Fixes JSON serialization of Map and LList in sjson-new 0.10.1 by @​steinybot + @​eed3si9n in https://github.com/eed3si9n/sjson-new/pull/142
• Fixes the hash code for empty files in the classpath cache by @​szeiger in https://github.com/sbt/zinc/pull/1366
• Parses column/position information from javac error messages by @​vasilmkd in https://github.com/sbt/zinc/pull/1373
• Fixes forceUpdatePeriod by @​adpi2 in https://github.com/sbt/sbt/pull/7567
• Fixes BSP handling of Optional inter-project dependencies by @​adpi2 in https://github.com/sbt/sbt/pull/7568
• Ignores jcenter and scala-tools-releases entries in the ~/.sbt/repositories file by @​eed3si9n in https://github.com/sbt/launcher/pull/104

behind the scenes

• Updates sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in https://github.com/sbt/sbt/pull/7555
• Updates scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in https://github.com/sbt/sbt/pull/7565

Full Changelog: sbt/sbt@v1.10.0...v1.10.1

v1.10.0: 1.10.0

Compare Source

Changes with compatibility implications

• For SIP-51 support, scalaVersion can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.
• ConsistentAnalysisFormat is enabled by default. See below for details.
• Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #​7513.
• Updates Jsch to mwiede/jsch fork by @​azolotko in lm#436
• Updates the Scala version used by sbt 1.x to 2.12.19 by @​SethTisue in #​7516.

SIP-51 Support for Scala 2.13 Evolution

Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:

I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.

Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion is found, it will fail the build as follows:

sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.

When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):

ThisBuild / scalaVersion := "2.13.10"

Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion to be the source-of-truth, but will reject bad ones at build time.

This was contributed by Lukas Rytz in #​7480.

Zinc fixes

• Fixes macro undercompilation by invalidating macro call sites when a type parameter changes by @​Friendseeker in zinc#1316
• Fixes macro undercompilation by invalidating macro source when its dependency changes by @​dwijnand in zinc#1282
• Fixes SAM type undercompilation by @​Friendseeker in zinc#1288
• Fixes infinite incremental loop when Scala and Java are involved by @​Friendseeker in zinc#1312
• Fixes overcompilation on default parameter changes by @​Friendseeker in zinc#1324
• Fixes IncOptions.useOptimizedSealed not working for Scala 2.13 by @​Friendseeker in zinc#1278
• Includes extra invalidations in initial validation to fix initial compilation error by @​Friendseeker in zinc#1284
• Refixes compact names without breaking local names by @​dwijnand in zinc#1259
• Undoes Protobuf workaround for build to work on Apple Silicon by @​Friendseeker in zinc#1277
• Uses ClassTag instead of Manifest by @​xuwei-k in zinc#1265
• Encodes parent trait private members in extraHash to propagate TraitPrivateMembersModified across external dependency by @​Friendseeker in zinc#1289
• Includes internal dependency in extraHash computation by @​Friendseeker in zinc#1290
• Deletes products of previous analysis when dropping previous analysis by @​Friendseeker in zinc#1293
• Uses the most up-to-date analysis for binary to source class name lookup by @​Friendseeker in zinc#1287
• Fixes inconsistent Analysis by removing source stamp caching by @​Friendseeker in zinc#1319
• Invalidate sources that depends on @inline methods in Scala 2.x by @​Friendseeker in zinc#1310
• Fixes -Xshow-phases handling by @​Friendseeker in zinc#1314

ConsistentAnalysisFormat: new Zinc Analysis serialization

sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:

	Write time	Read time	File size
sbt Text	1002 ms	791 ms	~ 7102 kB
sbt Binary	654 ms	277 ms	~ 6182 kB
ConsistentBinary	157 ms	100 ms	3097 kB

Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:

Global / enableConsistentCompileAnalysis := false

This was contributed by Stefan Zeiger at Databricks in zinc#1326.

New CommandProgress API

sbt 1.10.0 adds a new CommandProgress API.

This was contributed by Iulian Dragos at Gradle Inc in #​7350.

Other updates

• Updates to JLine 3.24.1 and JAnsi 2.4.1 by @​hvesalai/@​mazugrin in #​7419/#​7545
• Supports cross-build for external project ref by @​RustedBones in #​7389
• Avoids deprecated java.net.URL constructor by @​xuwei-k in #​7398
• Fixes bug of unmanagedResourceDirectories by @​minkyu97 in #​7178
• Fixes updateSbtClassifiers task by @​azdrojowa123 in #​7437
• Fixes packageSrc to include managedSources by @​Friendseeker in #​7470
• Fixes publishing to use the publisher specified using the publisher setting by @​Tammo0987 in #​7475
• Fixes eviction warning message by avoid repeating versions by @​rtyley in lm#433
• BSP: Implements buildTarget/javacOptions by @​adpi2 in #​7352
• BSP: Adds noOp field in the compile report by @​adpi2 in #​7496

v1.9.9: 1.9.9

Compare Source

Bug fixes

• To fix console task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @​hvesalai in https://github.com/sbt/sbt/pull/7503 / https://github.com/sbt/sbt/issues/7502
• To fix sbt 1.9.8's UnsatisfiedLinkError with stat, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @​eed3si9n in https://github.com/sbt/io/pull/367

Full Changelog: sbt/sbt@v1.9.8...v1.9.9

v1.9.8: 1.9.8

Compare Source

updates

• Fixes IO.getModifiedOrZero on Alpine etc, by using clib stat() instead of non-standard __xstat64 abi by @​bratkartoffel in https://github.com/sbt/io/pull/362
• As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @​hvesalai in https://github.com/sbt/sbt/pull/7420
• Backports fix for updateSbtClassifiers not downloading sources https://github.com/sbt/sbt/pull/7437 by @​azdrojowa123
• Backports missing logger methods that take Java Supplier https://github.com/sbt/sbt/pull/7447 by @​mkurz

Full Changelog: sbt/sbt@v1.9.7...v1.9.8

v1.9.7: 1.9.7

Compare Source

Highlights

• sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

• Updates Coursier to 2.1.7 by @​regiskuckaertz in #​7392
• Updates Swoval to 2.1.12 by @​eatkins in io#353.
• Fixes .sbtopts support for sbt runner script on Windows by @​ptrdom in #​7393
• Adds documentation on scriptedSbt key by @​mdedetrich in #​7383
• Includes the URL in dependencyBrowseTree log by @​mkurz in #​7396

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.