sbt/sbt (sbt/sbt)
### [`v1.10.3`](https://redirect.github.com/sbt/sbt/releases/tag/v1.10.3): 1.10.3
[Compare Source](https://redirect.github.com/sbt/sbt/compare/v1.10.2...v1.10.3)
#### Protobuf with potential Denial of Service (CVE-2024-7254)
sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / https://github.com/advisories/GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by [@gabrieljones](https://redirect.github.com/gabrieljones) and was fixed by Jerry Tan ([@Friendseeker](https://redirect.github.com/Friendseeker)) in [zinc#1443](https://redirect.github.com/zinc/sbt/issues/1443).
[@adpi2](https://redirect.github.com/adpi2) at Scala Center has also configured dependency graph submission to get security alerts in [zinc#1448](https://redirect.github.com/zinc/sbt/issues/1448). sbt/sbt was configured by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7746](https://redirect.github.com/sbt/sbt/pull/7746).
#### Reverting the invalidation of circular-dependent sources
sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.
There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after `clean`. The root cause of these bugs were identified by [@smarter](https://redirect.github.com/smarter) ([https://github.com/sbt/zinc/issues/598#issuecomment-449028234](https://redirect.github.com/sbt/zinc/issues/598#issuecomment-449028234)) and [@Friendseeker](https://redirect.github.com/Friendseeker) to be partial compilation of circular-dependent sources where two sources `A.scala` and `B.scala` use some constructs from each other.
sbt 1.10.0 fixed this issue via [https://github.com/sbt/zinc/pull/1284](https://redirect.github.com/sbt/zinc/pull/1284) by invalidating the circular-dependent pairs together. In other words, if `A.scala` was changed, it would immediately invalidate `B.scala`. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation ([zinc#1420](https://redirect.github.com/sbt/zinc/issues/1420), [zinc#1461](https://redirect.github.com/sbt/zinc/issues/1461)). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi ([@lihaoyi](https://redirect.github.com/lihaoyi)) in [https://github.com/sbt/zinc/pull/1462](https://redirect.github.com/sbt/zinc/pull/1462).
#### Improvement: ParallelGzipOutputStream
sbt 1.10.0 via [https://github.com/sbt/zinc/pull/1326](https://redirect.github.com/sbt/zinc/pull/1326) added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of `ParallelGzipOutputStream`, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the `scala.concurrent.Future`-based implementation gets stuck in a deadlock. [@Ichoran](https://redirect.github.com/Ichoran) and [@Friendseeker](https://redirect.github.com/Friendseeker) have contributed an alternative implementation that uses Java threads directly, which fixes the issue in [https://github.com/sbt/zinc/pull/1466](https://redirect.github.com/sbt/zinc/pull/1466).
#### bug fixes and updates
- deps: Updates metabuild Scala version to 2.12.20 by [@SethTisue](https://redirect.github.com/SethTisue) in [#7636](https://redirect.github.com/sbt/sbt/pull/7636)
- fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by [@Friendseeker](https://redirect.github.com/Friendseeker) in [#7695](https://redirect.github.com/sbt/sbt/pull/7695)
- fix: Fixes transitive invalidation interfering with cycle stopping condition by [@Friendseeker](https://redirect.github.com/Friendseeker) in [zinc#1397](https://redirect.github.com/sbt/zinc/pull/1397)
- fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by [@adpi2](https://redirect.github.com/adpi2) in [lm#451](https://redirect.github.com/sbt/librarymanagement/pull/451)
- fix: Fixes directory permission issue under a multi-user environment by [@eed3si9n](https://redirect.github.com/eed3si9n) in [ipcsocket#43](https://redirect.github.com/sbt/ipcsocket/pull/43)
- deps: Updates `sbt init` template deps by [@xuwei-k](https://redirect.github.com/xuwei-k) in [#7730](https://redirect.github.com/sbt/sbt/pull/7730)
- Updates sbt runner to default to sbtn for sbt 2.x by [@eed3si9n](https://redirect.github.com/eed3si9n) in [#7775](https://redirect.github.com/sbt/sbt/pull/7775)
#### behind the scene
- ci: Bump CI to JDK 21 by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7760](https://redirect.github.com/sbt/sbt/pull/7760)
- refactor: Remove deprecated `System.runFinalization` by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7732](https://redirect.github.com/sbt/sbt/pull/7732)
- refactor: Remove deprecated `Thread.getId` by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7733](https://redirect.github.com/sbt/sbt/pull/7733)
- refactor: Regenerate Contraband files by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7764](https://redirect.github.com/sbt/sbt/pull/7764)
- deps: Bump IO, ipc-socket, and launcher by [@eed3si9n](https://redirect.github.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7776](https://redirect.github.com/sbt/sbt/pull/7776)
- deps: Zinc 1.10.3 by [@eed3si9n](https://redirect.github.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7781](https://redirect.github.com/sbt/sbt/pull/7781)
- deps: lm 1.10.2 by [@eed3si9n](https://redirect.github.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7782](https://redirect.github.com/sbt/sbt/pull/7782)
- ci: Set a default timeout for ci by [@nathanlao](https://redirect.github.com/nathanlao) in [https://github.com/sbt/sbt/pull/7766](https://redirect.github.com/sbt/sbt/pull/7766)
- ci: Removes `vscode-sbt-scala` from build.sbt by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7728](https://redirect.github.com/sbt/sbt/pull/7728)
- ci: Adds dependabot setting for develop branch by [@xuwei-k](https://redirect.github.com/xuwei-k) in [https://github.com/sbt/sbt/pull/7701](https://redirect.github.com/sbt/sbt/pull/7701)
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.10.2...v1.10.3
Configuration
π Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.10.2
->1.10.3
Release Notes
sbt/sbt (sbt/sbt)
### [`v1.10.3`](https://redirect.github.com/sbt/sbt/releases/tag/v1.10.3): 1.10.3 [Compare Source](https://redirect.github.com/sbt/sbt/compare/v1.10.2...v1.10.3) #### Protobuf with potential Denial of Service (CVE-2024-7254) sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / https://github.com/advisories/GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by [@gabrieljones](https://redirect.github.com/gabrieljones) and was fixed by Jerry Tan ([@Friendseeker](https://redirect.github.com/Friendseeker)) in [zinc#1443](https://redirect.github.com/zinc/sbt/issues/1443). [@adpi2](https://redirect.github.com/adpi2) at Scala Center has also configured dependency graph submission to get security alerts in [zinc#1448](https://redirect.github.com/zinc/sbt/issues/1448). sbt/sbt was configured by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7746](https://redirect.github.com/sbt/sbt/pull/7746). #### Reverting the invalidation of circular-dependent sources sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs. There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after `clean`. The root cause of these bugs were identified by [@smarter](https://redirect.github.com/smarter) ([https://github.com/sbt/zinc/issues/598#issuecomment-449028234](https://redirect.github.com/sbt/zinc/issues/598#issuecomment-449028234)) and [@Friendseeker](https://redirect.github.com/Friendseeker) to be partial compilation of circular-dependent sources where two sources `A.scala` and `B.scala` use some constructs from each other. sbt 1.10.0 fixed this issue via [https://github.com/sbt/zinc/pull/1284](https://redirect.github.com/sbt/zinc/pull/1284) by invalidating the circular-dependent pairs together. In other words, if `A.scala` was changed, it would immediately invalidate `B.scala`. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation ([zinc#1420](https://redirect.github.com/sbt/zinc/issues/1420), [zinc#1461](https://redirect.github.com/sbt/zinc/issues/1461)). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi ([@lihaoyi](https://redirect.github.com/lihaoyi)) in [https://github.com/sbt/zinc/pull/1462](https://redirect.github.com/sbt/zinc/pull/1462). #### Improvement: ParallelGzipOutputStream sbt 1.10.0 via [https://github.com/sbt/zinc/pull/1326](https://redirect.github.com/sbt/zinc/pull/1326) added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of `ParallelGzipOutputStream`, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the `scala.concurrent.Future`-based implementation gets stuck in a deadlock. [@Ichoran](https://redirect.github.com/Ichoran) and [@Friendseeker](https://redirect.github.com/Friendseeker) have contributed an alternative implementation that uses Java threads directly, which fixes the issue in [https://github.com/sbt/zinc/pull/1466](https://redirect.github.com/sbt/zinc/pull/1466). #### bug fixes and updates - deps: Updates metabuild Scala version to 2.12.20 by [@SethTisue](https://redirect.github.com/SethTisue) in [#7636](https://redirect.github.com/sbt/sbt/pull/7636) - fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by [@Friendseeker](https://redirect.github.com/Friendseeker) in [#7695](https://redirect.github.com/sbt/sbt/pull/7695) - fix: Fixes transitive invalidation interfering with cycle stopping condition by [@Friendseeker](https://redirect.github.com/Friendseeker) in [zinc#1397](https://redirect.github.com/sbt/zinc/pull/1397) - fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by [@adpi2](https://redirect.github.com/adpi2) in [lm#451](https://redirect.github.com/sbt/librarymanagement/pull/451) - fix: Fixes directory permission issue under a multi-user environment by [@eed3si9n](https://redirect.github.com/eed3si9n) in [ipcsocket#43](https://redirect.github.com/sbt/ipcsocket/pull/43) - deps: Updates `sbt init` template deps by [@xuwei-k](https://redirect.github.com/xuwei-k) in [#7730](https://redirect.github.com/sbt/sbt/pull/7730) - Updates sbt runner to default to sbtn for sbt 2.x by [@eed3si9n](https://redirect.github.com/eed3si9n) in [#7775](https://redirect.github.com/sbt/sbt/pull/7775) #### behind the scene - ci: Bump CI to JDK 21 by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7760](https://redirect.github.com/sbt/sbt/pull/7760) - refactor: Remove deprecated `System.runFinalization` by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7732](https://redirect.github.com/sbt/sbt/pull/7732) - refactor: Remove deprecated `Thread.getId` by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7733](https://redirect.github.com/sbt/sbt/pull/7733) - refactor: Regenerate Contraband files by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7764](https://redirect.github.com/sbt/sbt/pull/7764) - deps: Bump IO, ipc-socket, and launcher by [@eed3si9n](https://redirect.github.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7776](https://redirect.github.com/sbt/sbt/pull/7776) - deps: Zinc 1.10.3 by [@eed3si9n](https://redirect.github.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7781](https://redirect.github.com/sbt/sbt/pull/7781) - deps: lm 1.10.2 by [@eed3si9n](https://redirect.github.com/eed3si9n) in [https://github.com/sbt/sbt/pull/7782](https://redirect.github.com/sbt/sbt/pull/7782) - ci: Set a default timeout for ci by [@nathanlao](https://redirect.github.com/nathanlao) in [https://github.com/sbt/sbt/pull/7766](https://redirect.github.com/sbt/sbt/pull/7766) - ci: Removes `vscode-sbt-scala` from build.sbt by [@Friendseeker](https://redirect.github.com/Friendseeker) in [https://github.com/sbt/sbt/pull/7728](https://redirect.github.com/sbt/sbt/pull/7728) - ci: Adds dependabot setting for develop branch by [@xuwei-k](https://redirect.github.com/xuwei-k) in [https://github.com/sbt/sbt/pull/7701](https://redirect.github.com/sbt/sbt/pull/7701) **Full Changelog**: https://github.com/sbt/sbt/compare/v1.10.2...v1.10.3Configuration
π Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.