Update dependency sbt/sbt to v1.11.5

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	minor	1.7.1 -> 1.11.5

---

Release Notes

sbt/sbt (sbt/sbt)

v1.11.5: 1.11.5

Compare Source

changes with compatibility implications

• sbtn is built using ubuntu-22.04 image, which will require similar Linux version with glibc 2.32 and above.

🚀 features and other updates

• Adds scala-library 3.8.0 support by @​hamzaremmal + @​eed3si9n in #​8226
• Adds Scala Nightly repository resolver. See below
• Central Repository publishing: Shows validation errors if present by @​unkarjedy in #​8191
• Central Repository publishing: Includes the root subproject name into the deployment by @​jeanmarc in #​8219
• Adds --jvm-client to the sbt runner script to launch JVM client by @​eed3si9n in #​8232
• Reduces sbtn outputs by @​eed3si9n in #​8234

Scala Nightly repository

Scala Team now publishes nightlies to a dedicated Artifactory instance. sbt 1.11.5 adds a new resolver for this:

resolvers += Resolver.scalaNightlyRepository

ThisBuild / scalaVersion := "3.8.0-RC1-bin-20250823-712d5bc-NIGHTLY"
Compile / scalacOptions += "-language:experimental.captureChecking"

This was contributed by @​hamzaremmal in sbt/librarymanagement#532

🎬 behind the scene

• ci: Uses sbt 1.11.4 by @​eed3si9n in #​8192
• ci: Adds clean.yml by @​eed3si9n in #​8227
• ci: Bump actions/setup-java from 4 to 5 by @​dependabot[bot] in #​8229
• ci: Split server-test by @​eed3si9n in #​8233
• deps: Bump to lm 1.11.5 by @​eed3si9n in #​8231

new contributors

• @​jeanmarc made their first contribution in #​8219
• @​hamzaremmal made their first contribution in #​8226

Full Changelog: sbt/sbt@v1.11.4...v1.11.5

v1.11.4: 1.11.4

Compare Source

Updates

• fix: Fixes sbt plugin cross building by @​eed3si9n in sbt/librarymanagement#528
• fix: Fixes sonaUploadRequestTimeout by scoping globally by @​eed3si9n in #​8190

Full Changelog: sbt/sbt@v1.11.3...v1.11.4

v1.11.3: 1.11.3

Compare Source

updates

• Adds sonaUploadRequestTimeout setting to configure the upload timeout when publishing to the Central Repo by @​guizmaii in #​8171
• fix: Adds support for pluginCrossBuild/sbtBinaryVersion "1.3", which is used by IntelliJ Scala plugin (fixes #​8166) by @​unkarjedy in #​8167
• fix: Fixes the import order to satisfy SemanticDB by @​inglor in #​8162

new contributors

• @​inglor made their first contribution in #​8162
• @​guizmaii made their first contribution in #​8171

Full Changelog: sbt/sbt@v1.11.2...v1.11.3

v1.11.2: 1.11.2

Compare Source

updates

• fix: Fixes intermittent NullPointerError in update task by reverting the use of WeakReferences by @​mrdziuban in coursier/sbt-coursier#564
• Adds Resolver.sonatypeCentralSnapshots, Resolver.sonatypeCentralRepo(...) and deprecates Resolver.sonatypeOssRepos(...), Opts.resolver.sonatypeOssReleases , Opts.resolver.sonatypeOssSnapshots, etc by @​eed3si9n in sbt/librarymanagement#517 / #​8156

Full Changelog: sbt/sbt@v1.11.1...v1.11.2

v1.11.1: 1.11.1

Compare Source

updates

• fix: Fixes memory leak in update task by @​mrdziuban in coursier/sbt-coursier#563
• fix: Default sbtPluginPublishLegacyMavenStyle to false by @​eed3si9n in #​8148
• fix: Adds sonaDeploymentName to excludeLintKeys by @​rtyley in #​8143

behind the scene

• ci: Use Central Portal for publishing by @​eed3si9n in #​8147

Full Changelog: sbt/sbt@v1.11.0...v1.11.1

v1.11.0: 1.11.0

Compare Source

Central Repository publishing

The Central Repository (aka Maven Central) has long been the pillar of the JVM ecosystem including Scala. The mechanism to publish libraries to the Central has been hosted by Sonatype as OSS Repository Hosting (OSSRH) via HTTP PUT, but in March it was announced that the endpoint will be sunset in June 2025 in favor of the Central Portal at https://central.sonatype.com/.

sbt 1.11.0 implements a built-in support to publish to Central Repository via the Central Portal. To publish to the Central Portal, first set ThisBuild / publishTo setting to the localStaging repository:

ThisBuild / publishTo := {
  val centralSnapshots = "https://central.sonatype.com/repository/maven-snapshots/"
  if (isSnapshot.value) Some("central-snapshots" at centralSnapshots)
  else localStaging.value
}

Add credentials to the host central.sonatype.com using the generated user token user name and password. sbt 1.11.0 will read from the environment variables SONATYPE_USERNAME and SONATYPE_PASSWORD and append a credential for central.sonatype.com out-of-box, which might be useful for automatic publishing from the CI environment, such as GitHub Actions.

- run: sbt ci-release
  env:
    PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
    PGP_SECRET: ${{ secrets.PGP_SECRET }}
    SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
    SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}

When you're ready to publish, call publishSigned task (available via sbt-pgp). At this point, the JARs and POM files will be staged to your local target/sona-staging directory.

Next, call sonaUpload to upload to the Central Portal and manually release the bundle, or call sonaRelease to upload and automatically release to the Central Repository.

This was contributed by @​eed3si9n in #​8126. The feature was inspired by sbt-sonatype workflow pioneered by Taro Saito, and sonatype-central-client spearheaded by David Doyle at Lumidion.

Other updates

• fix: Avoid printing "copying runtime jar" etc to stdout by @​eed3si9n in #​8081
• fix: Fix incremental test (testQuick) with companion objects by @​eed3si9n in #​8087

Full Changelog: sbt/sbt@v1.10.11...v1.11.0

v1.10.11: 1.10.11

Compare Source

updates

• Updates Coursier from 2.1.22 → 2.1.23 by @​eed3si9n in #​8069

🐛 bug fixes

• fix: Fixes compile task retrying itself on compiler crashes by @​eed3si9n in #​8070
• fix: sbt --client shutdown shortcuts if the server is not already running by @​eed3si9n in #​8057
• fix: Fixes sbt --client on Windows by @​eed3si9n in #​8071
• fix: Avoids creating target on sbt --version by @​eed3si9n in #​8066
• fix: Fixes slash syntax keys in Scala 2.13 evolution message by @​eed3si9n in #​8067

Full Changelog: sbt/sbt@v1.10.10...v1.10.11

v1.10.10: 1.10.10

Compare Source

🐛 bug fixes

• fix: Fixes compilation error causing the compilation to retry ten times by @​eed3si9n in #​8054

Full Changelog: sbt/sbt@v1.10.9...v1.10.10

v1.10.9: 1.10.9

Compare Source

🚀 features and other updates

• Adds allowUnsafeScalaLibUpgrade setting to opt-out of the Scala 2.13 compatibility check (SIP-51) by @​lrytz in #​8012
• BSP: Implement jvmBuildTarget for workspace/buildTargets by @​Friendseeker in #​7913
• Detects user-specific JDK installations on macOS by @​unkarjedy in #​8032
• Makes timing outputs consistently show hours and hint at time format by @​jsoref in #​8019
• Backports SHA-256, SHA-384, and SHA-512 checksum support to forked Apache Ivy by @​mkurz in sbt/ivy#49
• Client-side run capability in sbtn by @​eed3si9n in #​8040

🐛 bug fixes

• fix: Fixes local source dependency invalidation by @​rochala in sbt/zinc#1528
• fix: Clear Zinc Analysis Cache during Compile / clean, Test / clean by @​Friendseeker in #​7969
• fix: Fixes spurious upstream compilation when calling previousCompile by @​Friendseeker in #​7983
• fix: Fixes race condition in NetworkChannel by @​dwickern in #​8005
• fix: Fixes Chrome tracing file by @​eed3si9n in #​8020
• fix: Fixes incorrect sbt architecture logging in the runner script by @​mehdignu in #​8038
• fix: Fixes stdout freshness issue by @​eed3si9n in #​8048
• fix: sbt init by @​eed3si9n in #​8049

🎬 behind the scene

• refactor: Refactor response handler by @​eed3si9n in #​8035

new contributors

• @​mehdignu made their first contribution in #​8038

Full Changelog: sbt/sbt@v1.10.7...v1.10.9

v1.10.8: 1.10.8

Compare Source

sbt 1.10.8 is dead on arrival, please use 1.10.9 when it comes out.

v1.10.7: 1.10.7

Compare Source

🚀 features and other updates

• Enable runner script's build detection by default to require --allow-empty by @​eed3si9n in #​7966
• Support glob expressions in scripted to aid sbt 2.0.0-M3 cross building by @​eed3si9n in #​7933 / #​7968
• perf: Precompile a regex in hot code by @​retronym in sbt/zinc#1508

Build directory detection

Starting 1.10.7, the sbt runner script enables build directory detection by default. This means that the sbt will exit with error when launched in a directory without build.sbt or project/, with exceptions of sbt new, sbt --script-version etc.

To override this behavior temporarily, you can use --allow-empty flag. To permanently opt out of the build directory detection, create $XDG_CONFIG_HOME/sbt/sbtopts with --allow-empty in it.

csrMavenDependencyOverride setting

sbt 1.10.7 updates Coursier from 2.1.19 → 2.1.22. sbt 1.10.7 also adds a new setting csrMavenDependencyOverride (default: false), which controls the resolution, which respects Maven dependency override mechanism, also known as bill-of-materials (BOM) POM. Since there is a performance regression in the new resolver, we are setting the default to false.

🐛 bug fixes

• fix: Add csrMavenDependencyOverride to opt into bill-of-material (BOM) respecting Coursier resolution by @​eed3si9n in #​7970
• fix: Update the template resolver to use Giter8 0.17.0, which fixes the SLF4J warning by @​eed3si9n in #​7947
• fix: Update JLine 2 fork to 9a88bc4 and Jansi to 2.4.1, which fixes crash on Windows on ARM by @​Friendseeker in #​7952

🎬 behind the scene

• ci: New Scala CLA URL by @​eed3si9n in #​7929
• ci: Use new Scala CLA GitHub Action by @​Friendseeker in #​7953
• ci: Prepare for sbt 1.10.7 by @​Friendseeker in #​7957
• ci: Restore disabled Multirepo integration test by @​Friendseeker in #​7962

Full Changelog: sbt/sbt@v1.10.6...v1.10.7

v1.10.6: 1.10.6

Compare Source

change with compatibility implication

• deps: lm-coursier 2.1.6, which updates Coursier 2.1.14 → 2.1.19 by @​eed3si9n in #​7920

  This release changes the way "BOMs" or "dependency management" are handled during resolution, and allows users to add BOMs to a resolution. This changes the way versions are picked when BOMs or dependency management are involved, which has an impact on the resolution of libraries from many JVM ecosystems, such as Apache Spark, Springboot, Quarkus, etc.

bug fixes and updates

• fix: Fixes Ctrl-C not stopping run task due to bgRun delegation by @​Friendseeker in #​7916
• fix: Fixes sbt --client support on openSUSE by @​Androz2091 in #​7895
• fix: Synchronizes dependencyTree console output by @​Friendseeker in #​7906
• fix: Synchronizes java.awt.Desktop.browse() during dependencyBrowseTree by @​Friendseeker in #​7905
• perf: Better memory efficiency for Zinc Analysis by @​dwijnand in sbt/zinc#1494
• fix: Passes useConsistent to staticCachedStore by @​Friendseeker in #​7869
• Make reproducibility toggleable for ConsistentAnalysisFormat by @​Friendseeker in sbt/zinc#1479
• clean clears previousCompile by @​Friendseeker in sbt/zinc#1487 / #​7922

behind the scene

• deps: Updates to Zinc 1.10.5 by @​eed3si9n in #​7922
• deps: Updates to IO 1.10.2 by @​eed3si9n in #​7921
• deps: Removes direct dependency on org.fusesource.jansi by @​Friendseeker in #​7876
• ci: Prepare for sbt 1.10.6 by @​Friendseeker in #​7871
• Add double quote around thread name during trace by @​Friendseeker in #​7886
• ci: Bump minimum Java version in launcher script to 8 by @​Friendseeker in #​7897
• test: Fix Flaky Test: sbt.TagsTest by @​Friendseeker in #​7919
• refactor: Improve message format for loading settings for project by @​Friendseeker in #​7909
• refactor: Respects dependencyBrowseGraphTarget, dependencyBrowseTreeTarget by @​Friendseeker in #​7904

new contributors

• @​Androz2091 made their first contribution in #​7895

Full Changelog: sbt/sbt@v1.10.5...v1.10.6

v1.10.5: 1.10.5

Compare Source

updates

• deps: Updates to Coursier 2.1.14 via lm-coursier 2.1.5 by @​eed3si9n in #​7859
• fix: Reverts sbtn to build with glibc by @​Friendseeker and @​eed3si9n
• fix: Fixes sbtn to return exit code 1 when on error by @​Friendseeker in #​7854
• fix: Fixes ++ with a command argument with slash by @​eed3si9n in #​7862
• fix: Replaces Narrow No-Break Space (NNBS) in date strings with a whitespace to prevent mojibakeh by @​Friendseeker in #​7846

behind the scene

• refactor: Migrate all usages of System.console == null by @​Friendseeker in #​7843
• ci: Prepare for sbt 1.10.5 by @​Friendseeker in #​7840

Full Changelog: sbt/sbt@v1.10.4...v1.10.5

v1.10.4: 1.10.4

Compare Source

updates and bug fixes

• fix: Fixes Jansi deprecation notice by switching to jline-terminal-jni by @​Friendseeker in #​7811
• fix: Fixes GLIBC_2.32 issue on sbtn by statically linking musl by @​Friendseeker in #​7823
• fix: Throw exception when sbt new fails to find template by @​Friendseeker in #​7835
• fix: Fixes ~ with Global / onChangedBuildSource := ReloadOnSourceChanges by @​Friendseeker in #​7838
• fix: Fixes "Unrecognized option: --server" error on BSP server by @​eed3si9n in #​7824
• fix: Fixes pipelined build while changing version frequently by @​Friendseeker in #​7830
• fix: Change the default analysis format to older binary, and make Consistent Analysis opt-in by @​Friendseeker in #​7807

behind the scene

• ci: Bump supported JDK version to 21 in DEVELOPING.md by @​Friendseeker in #​7784
• ci: Bump sbt to 1.10.3 by @​Friendseeker in #​7802
• ci: Bump TEST_SBT_VER to 1.10.3 & remove unused CI variables by @​Friendseeker in #​7825
• ci: Delete .java-version to not fix java version to 1.8 by @​Friendseeker in #​7827
• deps: Bump Scala 2.13 to 2.13.15 by @​Friendseeker in #​7798
• deps: Bump JLine to 3.27.1 by @​Friendseeker in #​7829
• deps: Zinc 1.10.4 by @​eed3si9n in #​7839
• refactor: Remove two unused methods that depends on Analysis Timestamp by @​Friendseeker in #​7787
• refactor: Deprecate useJCenter key by @​Philippus in #​7822

Full Changelog: sbt/sbt@v1.10.3...v1.10.4

v1.10.3: 1.10.3

Compare Source

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @​gabrieljones and was fixed by Jerry Tan (@​Friendseeker) in zinc#1443.

@​adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @​Friendseeker in #​7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @​smarter (sbt/zinc#598 (comment)) and @​Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via sbt/zinc#1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@​lihaoyi) in sbt/zinc#1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via sbt/zinc#1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @​Ichoran and @​Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in sbt/zinc#1466.

bug fixes and updates

• deps: Updates metabuild Scala version to 2.12.20 by @​SethTisue in #​7636
• fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by @​Friendseeker in #​7695
• fix: Fixes transitive invalidation interfering with cycle stopping condition by @​Friendseeker in zinc#1397
• fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by @​adpi2 in lm#451
• fix: Fixes directory permission issue under a multi-user environment by @​eed3si9n in ipcsocket#43
• deps: Updates sbt init template deps by @​xuwei-k in #​7730
• Updates sbt runner to default to sbtn for sbt 2.x by @​eed3si9n in #​7775

behind the scene

• ci: Bump CI to JDK 21 by @​Friendseeker in #​7760
• refactor: Remove deprecated System.runFinalization by @​Friendseeker in #​7732
• refactor: Remove deprecated Thread.getId by @​Friendseeker in #​7733
• refactor: Regenerate Contraband files by @​Friendseeker in #​7764
• deps: Bump IO, ipc-socket, and launcher by @​eed3si9n in #​7776
• deps: Zinc 1.10.3 by @​eed3si9n in #​7781
• deps: lm 1.10.2 by @​eed3si9n in #​7782
• ci: Set a default timeout for ci by @​nathanlao in #​7766
• ci: Removes vscode-sbt-scala from build.sbt by @​Friendseeker in #​7728
• ci: Adds dependabot setting for develop branch by @​xuwei-k in #​7701

Full Changelog: sbt/sbt@v1.10.2...v1.10.3

v1.10.2: 1.10.2

Compare Source

Changes with compatibility implications

• Uses _sbt2_3 suffix for sbt 2.x by @​eed3si9n in #​7671

Updates and bug fixes

• Fixes the attribute key name from serverIdleTimeOut to serverIdleTimeout to match the variable name by @​lervag in #​7651
• Fixes incremental Scala-Java mixed compilation that produces JAR directly by @​adpi2 in sbt/zinc#1377
• Fixes over-compilation when using a class directory as a library by @​adpi2 in sbt/zinc#1382
• Perf: Copy bytes directly instead of using scala.reflect.io.Streamable by @​rochala in sbt/zinc#1395
• Includes all sources and resources in source jar by @​jroper in #​7630
• Fixes the handling of Optional inter-project dependency in BSP by @​adpi2 in #​7568
• Trims spaces around k and v to tolerate extra whitespace in build.properties by @​invadergir in #​7585
• Fixes legacy repositories like scala-tools-releases in repositories file blocking sbt from launching by @​eed3si9n in sbt/launcher#104
• Fixes stale BSP diagnostics by @​SlowBrainDude in #​7610
• Fixes scripted support for sbt 2.x by @​eed3si9n in #​7672
• Avoids using ThreadDeath for future JDK compatibility by @​xuwei-k in #​7652
• Avoids using ZipError for future JDK compatibility by @​eed3si9n in sbt/zinc#1393

Behind the scenes

• Update to Zinc 1.10.2 by @​eed3si9n in #​7674
• Update to lm 1.10.1 by @​eed3si9n in #​7597
• Update to Launcher 1.4.3 by @​eed3si9n in #​7598
• Update to the common Scala 2.12 version for the sbtn subproject by @​SlowBrainDude in #​7605
• Note in dev docs on supported build time JDK version dependency by @​SlowBrainDude in #​7606
• CI: Zinc default branch is 1.10.x by @​adpi2 in #​7654
• Upgrade sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in #​7555
• Update Scala 3 doc test by @​eed3si9n in #​7619
• Bump scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in #​7565
• Fixes dependency-management/force-update-period test (backport of #​7538) by @​adpi2 in #​7567
• Fixes BuildServerTest by @​adpi2 in #​7638

New contributors

• @​invadergir made their first contribution in #​7585
• @​rochala made their first contribution in sbt/zinc#1395
• @​SlowBrainDude made their first contribution in #​7606
• @​lervag made their first contribution in #​7651

Full Changelog: sbt/sbt@v1.10.0...v1.10.2

v1.10.1: 1.10.1

Compare Source

bug fixes and updates

• Fixes column/position information missing from the javac error messages in IntelliJ by @​vasilmkd in sbt/zinc#1373
• Fixes backslash handling in expandMavenSettings by @​desbo in sbt/librarymanagement#444
• Fixes JSON serialization of Map and LList in sjson-new 0.10.1 by @​steinybot + @​eed3si9n in eed3si9n/sjson-new#142
• Fixes the hash code for empty files in the classpath cache by @​szeiger in sbt/zinc#1366
• Fixes forceUpdatePeriod by @​adpi2 in #​7567
• Fixes BSP handling of Optional inter-project dependencies by @​adpi2 in #​7568
• Ignores jcenter and scala-tools-releases entries in the ~/.sbt/repositories file by @​eed3si9n in sbt/launcher#104

behind the scenes

• Updates sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in #​7555
• Updates scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in #​7565

Full Changelog: sbt/sbt@v1.10.0...v1.10.1

v1.10.0: 1.10.0

Compare Source

Changes with compatibility implications

• For SIP-51 support, scalaVersion can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.
• ConsistentAnalysisFormat is enabled by default. See below for details.
• Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #​7513.
• Updates Jsch to mwiede/jsch fork by @​azolotko in lm#436
• Updates the Scala version used by sbt 1.x to 2.12.19 by @​SethTisue in #​7516.

SIP-51 Support for Scala 2.13 Evolution

Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:

I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.

Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion is found, it will fail the build as follows:

sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.

When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):

ThisBuild / scalaVersion := "2.13.10"

Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion to be the source-of-truth, but will reject bad ones at build time.

This was contributed by Lukas Rytz in #​7480.

Zinc fixes

• Fixes macro undercompilation by invalidating macro call sites when a type parameter changes by @​Friendseeker in zinc#1316
• Fixes macro undercompilation by invalidating macro source when its dependency changes by @​dwijnand in zinc#1282
• Fixes SAM type undercompilation by @​Friendseeker in zinc#1288
• Fixes infinite incremental loop when Scala and Java are involved by @​Friendseeker in zinc#1312
• Fixes overcompilation on default parameter changes by @​Friendseeker in zinc#1324
• Fixes IncOptions.useOptimizedSealed not working for Scala 2.13 by @​Friendseeker in zinc#1278
• Includes extra invalidations in initial validation to fix initial compilation error by @​Friendseeker in zinc#1284
• Refixes compact names without breaking local names by @​dwijnand in zinc#1259
• Undoes Protobuf workaround for build to work on Apple Silicon by @​Friendseeker in zinc#1277
• Uses ClassTag instead of Manifest by @​xuwei-k in zinc#1265
• Encodes parent trait private members in extraHash to propagate TraitPrivateMembersModified across external dependency by @​Friendseeker in zinc#1289
• Includes internal dependency in extraHash computation by @​Friendseeker in zinc#1290
• Deletes products of previous analysis when dropping previous analysis by @​Friendseeker in zinc#1293
• Uses the most up-to-date analysis for binary to source class name lookup by @​Friendseeker in zinc#1287
• Fixes inconsistent Analysis by removing source stamp caching by @​Friendseeker in zinc#1319
• Invalidate sources that depends on @inline methods in Scala 2.x by @​Friendseeker in zinc#1310
• Fixes -Xshow-phases handling by @​Friendseeker in zinc#1314

ConsistentAnalysisFormat: new Zinc Analysis serialization

sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:

	Write time	Read time	File size
sbt Text	1002 ms	791 ms	~ 7102 kB
sbt Binary	654 ms	277 ms	~ 6182 kB
ConsistentBinary	157 ms	100 ms	3097 kB

Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:

Global / enableConsistentCompileAnalysis := false

This was contributed by Stefan Zeiger at Databricks in zinc#1326.

New CommandProgress API

sbt 1.10.0 adds a new CommandProgress API.

This was contributed by Iulian Dragos at Gradle Inc in #​7350.

Other updates

• Updates to JLine 3.24.1 and JAnsi 2.4.1 by @​hvesalai/@​mazugrin in #​7419/#​7545
• Supports cross-build for external project ref by @​RustedBones in #​7389
• Avoids deprecated java.net.URL constructor by @​xuwei-k in #​7398
• Fixes bug of unmanagedResourceDirectories by @​minkyu97 in #​7178
• Fixes updateSbtClassifiers task by @​azdrojowa123 in #​7437
• Fixes packageSrc to include managedSources by @​Friendseeker in #​7470
• Fixes publishing to use the publisher specified using the publisher setting by @​Tammo0987 in #​7475
• Fixes eviction warning message by avoid repeating versions by @​rtyley in lm#433
• BSP: Implements buildTarget/javacOptions by @​adpi2 in #​7352
• BSP: Adds noOp field in the compile report by @​adpi2 in #​7496

v1.9.9: 1.9.9

Compare Source

Bug fixes

• To fix console task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @​hvesalai in #​7503 / #​7502
• To fix sbt 1.9.8's UnsatisfiedLinkError with stat, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @​eed3si9n in sbt/io#367

Full Changelog: sbt/sbt@v1.9.8...v1.9.9

v1.9.8: 1.9.8

Compare Source

updates

• Fixes IO.getModifiedOrZero on Alpine etc, by using clib stat() instead of non-standard __xstat64 abi by @​bratkartoffel in sbt/io#362
• As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @​hvesalai in #​7420
• Backports fix for updateSbtClassifiers not downloading sources #​7437 by @​azdrojowa123
• Backports missing logger methods that take Java Supplier #​7447 by @​mkurz

Full Changelog: sbt/sbt@v1.9.7...v1.9.8

v1.9.7: 1.9.7

Compare Source

Highlights

• sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in [io#360][io360].

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in [#​7404][7404].

Other updates and fixes

• Updates Coursier to 2.1.7 by [@​regiskuckaertz][@​regiskuckaertz] in [#​7392][7392]
• Updates Swoval to 2.1.12 by [@​eatkins][@​eatkins] in [io#353][io353].
• Fixes .sbtopts support for sbt runner script on Windows by [@​ptrdom][@​ptrdom] in [#​7393][7393]
• Adds documentation on scriptedSbt key by @​mdedetrich in [#​7383][7383]
• Includes the URL in dependencyBrowseTree log by @​mkurz in [#​7396][7396]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.