sbt/sbt (sbt/sbt)
### [`v1.9.7`](https://togithub.com/sbt/sbt/releases/tag/v1.9.7): 1.9.7
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.6...v1.9.7)
##### Highlights
- sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in `IO.unzip`. This was discovered and reported by Kenji Yoshida ([@xuwei-k][@xuwei-k]), and fixed by [@eed3si9n][@eed3si9n] in [io#360][io360].
##### Zip Slip (arbitrary file write) vulnerability
See for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in `IO.unzip` code. This is a very common vulnerability known as [Zip Slip](https://security.snyk.io/research/zip-slip-vulnerability), and was found and fixed in plexus-archiver, Ant, etc.
Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
When executed on some path with six levels, `IO.unzip` could then overwrite a file under `/root/`. sbt main uses `IO.unzip` only in `pullRemoteCache` and `Resolvers.remote`, however, many projects use `IO.unzip(...)` directly to implement custom tasks and tests.
##### Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by [@eed3si9n][@eed3si9n] in [#7404][7404].
##### Other updates and fixes
- Updates Coursier to 2.1.7 by [@regiskuckaertz][@regiskuckaertz] in [#7392][7392]
- Updates Swoval to 2.1.12 by [@eatkins][@eatkins] in [io#353][io353].
- Fixes `.sbtopts` support for `sbt` runner script on Windows by [@ptrdom][@ptrdom] in [#7393][7393]
- Adds documentation on `scriptedSbt` key by [@mdedetrich][@mdedetrich] in [#7383][7383]
- Includes the URL in `dependencyBrowseTree` log by [@mkurz][@mkurz] in [#7396][7396]
[@eed3si9n]: https://togithub.com/eed3si9n
[@Nirvikalpa108]: https://togithub.com/Nirvikalpa108
[@adpi2]: https://togithub.com/adpi2
[@er1c]: https://togithub.com/er1c
[@eatkins]: https://togithub.com/eatkins
[@dwijnand]: https://togithub.com/dwijnand
[@xuwei-k]: https://togithub.com/xuwei-k
[@regiskuckaertz]: https://togithub.com/regiskuckaertz
[@ptrdom]: https://togithub.com/ptrdom
[@mdedetrich]: https://togithub.com/mdedetrich
[@mkurz]: https://togithub.com/mkurz
[7404]: https://togithub.com/sbt/sbt/pull/7404
[7392]: https://togithub.com/sbt/sbt/pull/7392
[7393]: https://togithub.com/sbt/sbt/pull/7393
[7396]: https://togithub.com/sbt/sbt/pull/7396
[7383]: https://togithub.com/sbt/sbt/pull/7383
[io353]: https://togithub.com/sbt/io/pull/353
[io360]: https://togithub.com/sbt/io/pull/360
### [`v1.9.6`](https://togithub.com/sbt/sbt/releases/tag/v1.9.6): 1.9.6
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.5...v1.9.6)
#### bug fix
- sbt 1.9.6 reverts "internal representation of class symbol names" change ([https://github.com/sbt/zinc/pull/1244](https://togithub.com/sbt/zinc/pull/1244)), which caused Scala compiler to generate wrong anonymous class name by [@eed3si9n](https://togithub.com/eed3si9n) in [https://github.com/sbt/zinc/pull/1256](https://togithub.com/sbt/zinc/pull/1256). See [https://github.com/scala/bug/issues/12868](https://togithub.com/scala/bug/issues/12868) for more details.
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.5...v1.9.6
### [`v1.9.5`](https://togithub.com/sbt/sbt/releases/tag/v1.9.5): 1.9.5
[Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.4...v1.9.5)
**Update**: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
[https://github.com/scala/bug/issues/12868#issuecomment-1720848704](https://togithub.com/scala/bug/issues/12868#issuecomment-1720848704)
#### highlights
- Switches to pre-compiled compiler bridge for Scala 2.13.12+ [#7374][7374] by [@eed3si9n][@eed3si9n]
- Fixes NPE when just `-X` is passed to `scalacOptions` [zinc#1246][zinc1246] by [@unkarjedy][@unkarjedy]
#### other updates
- Fixes internal representation of class symbol names [zinc#1244][zinc1244] by [@dwijnand][@dwijnand]
- Fixes `NumberFormatException` in `CrossVersionUtil.binaryScalaVersion` [lm#426][lm426] by [@HelloKunal][@HelloKunal]
- Fixes `scripted` client/server instability on Windows [#7087][7087] by [@mdedetrich][@mdedetrich]
- Fixes `sbt` launcher script bug on Windows [#7365][7365] by [@JD557][@JD557]
- Fixes `help` command on oldshell [#7358][7358] by [@azdrojowa123][@azdrojowa123]
- Adds `allModuleReports` to `UpdateReport` [lm#428][lm428] by [@mdedetrich][@mdedetrich]
- Handles javac warning messages [zinc#1228][zinc1228] by [@Arthurm1][@Arthurm1]
- Enables inliner for Scala 2.13 compiler bridge [zinc#1247][zinc1247] by [@mdedetrich][@mdedetrich]
#### new contributors
- [@azdrojowa123](https://togithub.com/azdrojowa123) made their first contribution in [https://github.com/sbt/sbt/pull/7358](https://togithub.com/sbt/sbt/pull/7358)
- [@JD557](https://togithub.com/JD557) made their first contribution in [https://github.com/sbt/sbt/pull/7367](https://togithub.com/sbt/sbt/pull/7367)
**Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.4...v1.9.5
[@eed3si9n]: https://togithub.com/eed3si9n
[@Nirvikalpa108]: https://togithub.com/Nirvikalpa108
[@adpi2]: https://togithub.com/adpi2
[@er1c]: https://togithub.com/er1c
[@eatkins]: https://togithub.com/eatkins
[@dwijnand]: https://togithub.com/dwijnand
[@mdedetrich]: https://togithub.com/mdedetrich
[@JD557]: https://togithub.com/JD557
[@azdrojowa123]: https://togithub.com/azdrojowa123
[@HelloKunal]: https://togithub.com/HelloKunal
[@unkarjedy]: https://togithub.com/unkarjedy
[@Arthurm1]: https://togithub.com/Arthurm1
[7374]: https://togithub.com/sbt/sbt/pull/7374
[7087]: https://togithub.com/sbt/sbt/pull/7087
[7365]: https://togithub.com/sbt/sbt/issues/7365
[7358]: https://togithub.com/sbt/sbt/pull/7358
[zinc1246]: https://togithub.com/sbt/zinc/pull/1246
[zinc1244]: https://togithub.com/sbt/zinc/pull/1244
[zinc1228]: https://togithub.com/sbt/zinc/pull/1228
[zinc1247]: https://togithub.com/sbt/zinc/pull/1247
[lm426]: https://togithub.com/sbt/librarymanagement/pull/426
[lm428]: https://togithub.com/sbt/librarymanagement/pull/428
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.9.4->1.9.7Release Notes
sbt/sbt (sbt/sbt)
### [`v1.9.7`](https://togithub.com/sbt/sbt/releases/tag/v1.9.7): 1.9.7 [Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.6...v1.9.7) ##### Highlights - sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in `IO.unzip`. This was discovered and reported by Kenji Yoshida ([@xuwei-k][@xuwei-k]), and fixed by [@eed3si9n][@eed3si9n] in [io#360][io360]. ##### Zip Slip (arbitrary file write) vulnerability SeeConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.