[!WARNING]
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
sbt/sbt (sbt/sbt)
### [`v1.9.7`](https://togithub.com/sbt/sbt/releases/tag/v1.9.7): 1.9.7
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.6...v1.9.7)
##### Highlights
- sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in `IO.unzip`. This was discovered and reported by Kenji Yoshida ([@xuwei-k][@xuwei-k]), and fixed by [@eed3si9n][@eed3si9n] in [io#360][io360].
##### Zip Slip (arbitrary file write) vulnerability
See for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in `IO.unzip` code. This is a very common vulnerability known as [Zip Slip](https://security.snyk.io/research/zip-slip-vulnerability), and was found and fixed in plexus-archiver, Ant, etc.
Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
When executed on some path with six levels, `IO.unzip` could then overwrite a file under `/root/`. sbt main uses `IO.unzip` only in `pullRemoteCache` and `Resolvers.remote`, however, many projects use `IO.unzip(...)` directly to implement custom tasks and tests.
##### Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by [@eed3si9n][@eed3si9n] in [#7404][7404].
##### Other updates and fixes
- Updates Coursier to 2.1.7 by [@regiskuckaertz][@regiskuckaertz] in [#7392][7392]
- Updates Swoval to 2.1.12 by [@eatkins][@eatkins] in [io#353][io353].
- Fixes `.sbtopts` support for `sbt` runner script on Windows by [@ptrdom][@ptrdom] in [#7393][7393]
- Adds documentation on `scriptedSbt` key by [@mdedetrich][@mdedetrich] in [#7383][7383]
- Includes the URL in `dependencyBrowseTree` log by [@mkurz][@mkurz] in [#7396][7396]
[@eed3si9n]: https://togithub.com/eed3si9n
[@Nirvikalpa108]: https://togithub.com/Nirvikalpa108
[@adpi2]: https://togithub.com/adpi2
[@er1c]: https://togithub.com/er1c
[@eatkins]: https://togithub.com/eatkins
[@dwijnand]: https://togithub.com/dwijnand
[@xuwei-k]: https://togithub.com/xuwei-k
[@regiskuckaertz]: https://togithub.com/regiskuckaertz
[@ptrdom]: https://togithub.com/ptrdom
[@mdedetrich]: https://togithub.com/mdedetrich
[@mkurz]: https://togithub.com/mkurz
[7404]: https://togithub.com/sbt/sbt/pull/7404
[7392]: https://togithub.com/sbt/sbt/pull/7392
[7393]: https://togithub.com/sbt/sbt/pull/7393
[7396]: https://togithub.com/sbt/sbt/pull/7396
[7383]: https://togithub.com/sbt/sbt/pull/7383
[io353]: https://togithub.com/sbt/io/pull/353
[io360]: https://togithub.com/sbt/io/pull/360
### [`v1.9.6`](https://togithub.com/sbt/sbt/releases/tag/v1.9.6): 1.9.6
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.5...v1.9.6)
#### bug fix
- sbt 1.9.6 reverts "internal representation of class symbol names" change ([https://github.com/sbt/zinc/pull/1244](https://togithub.com/sbt/zinc/pull/1244)), which caused Scala compiler to generate wrong anonymous class name by [@eed3si9n](https://togithub.com/eed3si9n) in [https://github.com/sbt/zinc/pull/1256](https://togithub.com/sbt/zinc/pull/1256). See [https://github.com/scala/bug/issues/12868](https://togithub.com/scala/bug/issues/12868) for more details.
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.5...v1.9.6
### [`v1.9.5`](https://togithub.com/sbt/sbt/releases/tag/v1.9.5): 1.9.5
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.4...v1.9.5)
**Update**: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
[https://github.com/scala/bug/issues/12868#issuecomment-1720848704](https://togithub.com/scala/bug/issues/12868#issuecomment-1720848704)
#### highlights
- Switches to pre-compiled compiler bridge for Scala 2.13.12+ [#7374][7374] by [@eed3si9n][@eed3si9n]
- Fixes NPE when just `-X` is passed to `scalacOptions` [zinc#1246][zinc1246] by [@unkarjedy][@unkarjedy]
#### other updates
- Fixes internal representation of class symbol names [zinc#1244][zinc1244] by [@dwijnand][@dwijnand]
- Fixes `NumberFormatException` in `CrossVersionUtil.binaryScalaVersion` [lm#426][lm426] by [@HelloKunal][@HelloKunal]
- Fixes `scripted` client/server instability on Windows [#7087][7087] by [@mdedetrich][@mdedetrich]
- Fixes `sbt` launcher script bug on Windows [#7365][7365] by [@JD557][@JD557]
- Fixes `help` command on oldshell [#7358][7358] by [@azdrojowa123][@azdrojowa123]
- Adds `allModuleReports` to `UpdateReport` [lm#428][lm428] by [@mdedetrich][@mdedetrich]
- Handles javac warning messages [zinc#1228][zinc1228] by [@Arthurm1][@Arthurm1]
- Enables inliner for Scala 2.13 compiler bridge [zinc#1247][zinc1247] by [@mdedetrich][@mdedetrich]
#### new contributors
- [@azdrojowa123](https://togithub.com/azdrojowa123) made their first contribution in [https://github.com/sbt/sbt/pull/7358](https://togithub.com/sbt/sbt/pull/7358)
- [@JD557](https://togithub.com/JD557) made their first contribution in [https://github.com/sbt/sbt/pull/7367](https://togithub.com/sbt/sbt/pull/7367)
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.4...v1.9.5
[@eed3si9n]: https://togithub.com/eed3si9n
[@Nirvikalpa108]: https://togithub.com/Nirvikalpa108
[@adpi2]: https://togithub.com/adpi2
[@er1c]: https://togithub.com/er1c
[@eatkins]: https://togithub.com/eatkins
[@dwijnand]: https://togithub.com/dwijnand
[@mdedetrich]: https://togithub.com/mdedetrich
[@JD557]: https://togithub.com/JD557
[@azdrojowa123]: https://togithub.com/azdrojowa123
[@HelloKunal]: https://togithub.com/HelloKunal
[@unkarjedy]: https://togithub.com/unkarjedy
[@Arthurm1]: https://togithub.com/Arthurm1
[7374]: https://togithub.com/sbt/sbt/pull/7374
[7087]: https://togithub.com/sbt/sbt/pull/7087
[7365]: https://togithub.com/sbt/sbt/issues/7365
[7358]: https://togithub.com/sbt/sbt/pull/7358
[zinc1246]: https://togithub.com/sbt/zinc/pull/1246
[zinc1244]: https://togithub.com/sbt/zinc/pull/1244
[zinc1228]: https://togithub.com/sbt/zinc/pull/1228
[zinc1247]: https://togithub.com/sbt/zinc/pull/1247
[lm426]: https://togithub.com/sbt/librarymanagement/pull/426
[lm428]: https://togithub.com/sbt/librarymanagement/pull/428
### [`v1.9.4`](https://togithub.com/sbt/sbt/releases/tag/v1.9.4): 1.9.4
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.3...v1.9.4)
##### CVE-2022-46751
[CVE-2022-46751](https://togithub.com/advisories/GHSA-2jc4-r94c-rp7h) is a security vulnerability discovered in Apache Ivy, but found also in Coursier.
With coordination with Apache Foundation, Adrien Piquerez ([@adpi2](https://togithub.com/adpi2)) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.
#### Other updates
- Fixes `sbt_script` lookup by replacing all spaces with `%20` (not only the first one) in the path. by [@arturaz](https://togithub.com/arturaz) in [https://github.com/sbt/sbt/pull/7349](https://togithub.com/sbt/sbt/pull/7349)
- Fixes [scala-debug-adapter#543](https://togithub.com/scala-debug-adapter/sbt/issues/543): Maintain order of internal deps by [@adpi2](https://togithub.com/adpi2) in [https://github.com/sbt/sbt/pull/7347](https://togithub.com/sbt/sbt/pull/7347)
- Removes `conscriptConfigs` task, not used and needed(?) anymore by [@mkurz](https://togithub.com/mkurz) in [https://github.com/sbt/sbt/pull/7353](https://togithub.com/sbt/sbt/pull/7353)
- Adds a Scala 3 seed to the `sbt new` menu by [@SethTisue](https://togithub.com/SethTisue) in [https://github.com/sbt/sbt/pull/7354](https://togithub.com/sbt/sbt/pull/7354)
#### new contributors
- [@arturaz](https://togithub.com/arturaz) made their first contribution in [https://github.com/sbt/sbt/pull/7349](https://togithub.com/sbt/sbt/pull/7349)
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.3...v1.9.4
### [`v1.9.3`](https://togithub.com/sbt/sbt/releases/tag/v1.9.3): 1.9.3
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.2...v1.9.3)
##### Actionable diagnostics (aka quickfix)
Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the [roadmap][actionable] and sent [sbt/sbt#7242][7242] that kickstarted the effort, but now there's been steady progress in [Build Server Protocol][bsp527], [Dotty](https://togithub.com/lampepfl/dotty/issues/17337), [Scala 2.13](https://togithub.com/scala/scala/pull/10406/), IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.
sbt 1.9.3 adds a new interface called `AnalysisCallback2` to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with `-deprecation` flag.
This was contributed by Eugene Yokota ([@eed3si9n](https://togithub.com/eed3si9n)) in [zinc#1226][zinc1226]. Special thanks to [@lrytz][@lrytz] for identifying this issue in [zinc#1214](https://togithub.com/sbt/zinc/discussions/1214).
#### other updates
- Adds M1/M2/Aarch64 build of sbtn into the installer by [@julienrf](https://togithub.com/julienrf) in [https://github.com/sbt/sbt/pull/7329](https://togithub.com/sbt/sbt/pull/7329)
- Fixes scripted tests timing out after 5 minutes by [@eed3si9n](https://togithub.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7336](https://togithub.com/sbt/sbt/pull/7336)
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.2...v1.9.3
[@eed3si9n]: https://togithub.com/eed3si9n
[@Nirvikalpa108]: https://togithub.com/Nirvikalpa108
[@adpi2]: https://togithub.com/adpi2
[@er1c]: https://togithub.com/er1c
[@eatkins]: https://togithub.com/eatkins
[@dwijnand]: https://togithub.com/dwijnand
[@ckipp01]: https://togithub.com/ckipp01
[@mdedetrich]: https://togithub.com/mdedetrich
[@xuwei-k]: https://togithub.com/xuwei-k
[@lrytz]: https://togithub.com/lrytz
[7242]: https://togithub.com/sbt/sbt/pull/7242
[7251]: https://togithub.com/sbt/sbt/pull/7251
[zinc1186]: https://togithub.com/sbt/zinc/pull/1186
[zinc1226]: https://togithub.com/sbt/zinc/pull/1226
[bsp527]: https://togithub.com/build-server-protocol/build-server-protocol/pull/527
[actionable]: https://contributors.scala-lang.org/t/roadmap-for-actionable-diagnostics/6172/1
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.9.2->1.9.7Release Notes
sbt/sbt (sbt/sbt)
### [`v1.9.7`](https://togithub.com/sbt/sbt/releases/tag/v1.9.7): 1.9.7 [Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.6...v1.9.7) ##### Highlights - sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in `IO.unzip`. This was discovered and reported by Kenji Yoshida ([@xuwei-k][@xuwei-k]), and fixed by [@eed3si9n][@eed3si9n] in [io#360][io360]. ##### Zip Slip (arbitrary file write) vulnerability SeeConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.