Releases: sbt/sbt
1.10.0
Changes with compatibility implications
- For SIP-51 support,
scalaVersion
can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details. - ConsistentAnalysisFormat is enabled by default. See below for details.
- Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #7513.
- Updates Jsch to mwiede/jsch fork by @azolotko in lm#436
- Updates the Scala version used by sbt 1.x to 2.12.19 by @SethTisue in #7516.
SIP-51 Support for Scala 2.13 Evolution
Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:
I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.
Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion
. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion
is found, it will fail the build as follows:
sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.
When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):
ThisBuild / scalaVersion := "2.13.10"
Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion
, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion
to be the source-of-truth, but will reject bad ones at build time.
This was contributed by Lukas Rytz in #7480.
Zinc fixes
- Fixes macro undercompilation by invalidating macro call sites when a type parameter changes by @Friendseeker in zinc#1316
- Fixes macro undercompilation by invalidating macro source when its dependency changes by @dwijnand in zinc#1282
- Fixes SAM type undercompilation by @Friendseeker in zinc#1288
- Fixes infinite incremental loop when Scala and Java are involved by @Friendseeker in zinc#1312
- Fixes overcompilation on default parameter changes by @Friendseeker in zinc#1324
- Fixes
IncOptions.useOptimizedSealed
not working for Scala 2.13 by @Friendseeker in zinc#1278 - Includes extra invalidations in initial validation to fix initial compilation error by @Friendseeker in zinc#1284
- Refixes compact names without breaking local names by @dwijnand in zinc#1259
- Undoes Protobuf workaround for build to work on Apple Silicon by @Friendseeker in zinc#1277
- Uses
ClassTag
instead ofManifest
by @xuwei-k in zinc#1265 - Encodes parent trait private members in
extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in zinc#1289 - Includes internal dependency in
extraHash
computation by @Friendseeker in zinc#1290 - Deletes products of previous analysis when dropping previous analysis by @Friendseeker in zinc#1293
- Uses the most up-to-date analysis for binary to source class name lookup by @Friendseeker in zinc#1287
- Fixes inconsistent Analysis by removing source stamp caching by @Friendseeker in zinc#1319
- Invalidate sources that depends on
@inline
methods in Scala 2.x by @Friendseeker in zinc#1310 - Fixes
-Xshow-phases
handling by @Friendseeker in zinc#1314
ConsistentAnalysisFormat: new Zinc Analysis serialization
sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:
Write time | Read time | File size | |
---|---|---|---|
sbt Text | 1002 ms | 791 ms | ~ 7102 kB |
sbt Binary | 654 ms | 277 ms | ~ 6182 kB |
ConsistentBinary | 157 ms | 100 ms | 3097 kB |
Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:
Global / enableConsistentCompileAnalysis := false
This was contributed by Stefan Zeiger at Databricks in zinc#1326.
New CommandProgress API
sbt 1.10.0 adds a new CommandProgress API.
This was contributed by Iulian Dragos at Gradle Inc in #7350.
Other updates
- Updates to JLine 3.24.1 and JAnsi 2.4.1 by @hvesalai/@mazugrin in #7419/#7545
- Supports cross-build for external project ref by @RustedBones in #7389
- Avoids deprecated
java.net.URL
constructor by @xuwei-k in #7398 - Fixes bug of unmanagedResourceDirectories by @minkyu97 in #7178
- Fixes
updateSbtClassifiers
task by @azdrojowa123 in #7437 - Fixes
packageSrc
to includemanagedSources
by @Friendseeker in #7470 - Fixes publishing to use the publisher specified using the
publisher
setting by @Tammo0987 in #7475 - Fixes eviction warning message by avoid repeating versions by @rtyley in lm#433
- BSP: Implements
buildTarget/javacOptions
by @adpi2 in #7352 - BSP: Adds
noOp
field in the compile report by @adpi2 in #7496
1.10.0-RC2
Changes since sbt 1.10.0-RC1
- ConsistentAnalysisFormat is enabled by default.
- Updates to SIP-51 error message.
Changes with compatibility implications
- For SIP-51 support,
scalaVersion
can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details. - Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #7513.
- Updates Jsch to mwiede/jsch fork by @azolotko in lm#436
- Updates the Scala version used by sbt 1.x to 2.12.19 by @SethTisue in #7516.
SIP-51 Support for Scala 2.13 Evolution
Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:
I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.
Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion
. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion
is found, it will fail the build as follows:
sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.
When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):
ThisBuild / scalaVersion := "2.13.10"
Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion
, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion
to be the source-of-truth, but will reject bad ones at build time.
This was contributed by Lukas Rytz in #7480.
Zinc fixes
- Fixes macro undercompilation by invalidating macro call sites when a type parameter changes by @Friendseeker in zinc#1316
- Fixes macro undercompilation by invalidating macro source when its dependency changes by @dwijnand in zinc#1282
- Fixes SAM type undercompilation by @Friendseeker in zinc#1288
- Fixes infinite incremental loop when Scala and Java are involved by @Friendseeker in zinc#1312
- Fixes overcompilation on default parameter changes by @Friendseeker in zinc#1324
- Fixes
IncOptions.useOptimizedSealed
not working for Scala 2.13 by @Friendseeker in zinc#1278 - Includes extra invalidations in initial validation to fix initial compilation error by @Friendseeker in zinc#1284
- Refixes compact names without breaking local names by @dwijnand in zinc#1259
- Undoes Protobuf workaround for build to work on Apple Silicon by @Friendseeker in zinc#1277
- Uses
ClassTag
instead ofManifest
by @xuwei-k in zinc#1265 - Encodes parent trait private members in
extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in zinc#1289 - Includes internal dependency in
extraHash
computation by @Friendseeker in zinc#1290 - Deletes products of previous analysis when dropping previous analysis by @Friendseeker in zinc#1293
- Uses the most up-to-date analysis for binary to source class name lookup by @Friendseeker in zinc#1287
- Fixes inconsistent Analysis by removing source stamp caching by @Friendseeker in zinc#1319
- Invalidate sources that depends on
@inline
methods in Scala 2.x by @Friendseeker in zinc#1310 - Fixes
-Xshow-phases
handling by @Friendseeker in zinc#1314
ConsistentAnalysisFormat: new Zinc Analysis serialization
sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:
Write time | Read time | File size | |
---|---|---|---|
sbt Text | 1002 ms | 791 ms | ~ 7102 kB |
sbt Binary | 654 ms | 277 ms | ~ 6182 kB |
ConsistentBinary | 157 ms | 100 ms | 3097 kB |
Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:
Global / enableConsistentCompileAnalysis := false
This was contributed by Stefan Zeiger at Databricks in zinc#1326.
New CommandProgress API
sbt 1.10.0 adds a new CommandProgress API.
This was contributed by Iulian Dragos at Gradle Inc in #7350.
Other updates
- JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in #7419
- Supports cross-build for external project ref by @RustedBones in #7389
- Avoids deprecated
java.net.URL
constructor by @xuwei-k in #7398 - Fixes bug of unmanagedResourceDirectories by @minkyu97 in #7178
- Fixes
updateSbtClassifiers
task by @azdrojowa123 in #7437 - Fixes
packageSrc
to includemanagedSources
by @Friendseeker in #7470 - Fixes publishing to use the publisher specified using the
publisher
setting by @Tammo0987 in #7475 - Fixes eviction warning message by avoid repeating versions by @rtyley in lm#433
- BSP: Implements
buildTarget/javacOptions
by @adpi2 in #7352 - BSP: Adds
noOp
field in the compile report by @adpi2 in #7496
1.10.0-RC1
Changes with compatibility implications
- For SIP-51 support,
scalaVersion
can no longer be a lower 2.13.x version number than its transitive dependencies. See below for details. - Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #7513.
- Updates Jsch to mwiede/jsch fork by @azolotko in lm#436
- Updates the Scala version used by sbt 1.x to 2.12.19 by @SethTisue in #7516.
SIP-51 Support for Scala 2.13 Evolution
Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:
I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.
Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion
. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion
is found, it will fail the build as follows:
sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) `foo/scalaVersion` needs to be upgraded to 2.13.10. To support backwards-only
[error] binary compatibility (SIP-51), the Scala compiler cannot be older than scala-library on the
[error] dependency classpath. See `foo/evicted` why scala-library was upgraded from 2.13.5 to 2.13.10.
When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):
ThisBuild / scalaVersion := "2.13.10"
Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion
, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion
to be the source-of-truth, but will reject bad ones at build time.
This was contributed by Lukas Rytz in #7480.
Zinc fixes
- Fixes macro undercompilation by invalidating macro call sites when a type parameter changes by @Friendseeker in zinc#1316
- Fixes macro undercompilation by invalidating macro source when its dependency changes by @dwijnand in zinc#1282
- Fixes SAM type undercompilation by @Friendseeker in zinc#1288
- Fixes infinite incremental loop when Scala and Java are involved by @Friendseeker in zinc#1312
- Fixes overcompilation on default parameter changes by @Friendseeker in zinc#1324
- Fixes
IncOptions.useOptimizedSealed
not working for Scala 2.13 by @Friendseeker in zinc#1278 - Includes extra invalidations in initial validation to fix initial compilation error by @Friendseeker in zinc#1284
- Refixes compact names without breaking local names by @dwijnand in zinc#1259
- Undoes Protobuf workaround for build to work on Apple Silicon by @Friendseeker in zinc#1277
- Uses
ClassTag
instead ofManifest
by @xuwei-k in zinc#1265 - Encodes parent trait private members in
extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in zinc#1289 - Includes internal dependency in
extraHash
computation by @Friendseeker in zinc#1290 - Deletes products of previous analysis when dropping previous analysis by @Friendseeker in zinc#1293
- Uses the most up-to-date analysis for binary to source class name lookup by @Friendseeker in zinc#1287
- Fixes inconsistent Analysis by removing source stamp caching by @Friendseeker in zinc#1319
- Invalidate sources that depends on
@inline
methods in Scala 2.x by @Friendseeker in zinc#1310 - Fixes
-Xshow-phases
handling by @Friendseeker in zinc#1314
ConsistentAnalysisFormat: new Zinc Analysis serialization
sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Note: We missed this for RC-1. We will adopt this in RC-2.
This was contributed by Stefan Zeiger in zinc#1326.
New CommandProgress API
sbt 1.10.0 adds a new CommandProgress API.
This was contributed by @dragos in #7350.
Other updates
- JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in #7419
- Supports cross-build for external project ref by @RustedBones in #7389
- Avoids deprecated
java.net.URL
constructor by @xuwei-k in #7398 - Fixes bug of unmanagedResourceDirectories by @minkyu97 in #7178
- Fixes
updateSbtClassifiers
task by @azdrojowa123 in #7437 - Fixes
packageSrc
to includemanagedSources
by @Friendseeker in #7470 - Fixes publishing to use the publisher specified using the
publisher
setting by @Tammo0987 in #7475 - Fixes eviction warning message by avoid repeating versions by @rtyley in lm#433
- BSP: Implements
buildTarget/javacOptions
by @adpi2 in #7352 - BSP: Adds
noOp
field in the compile report by @adpi2 in #7496
new contributors
- @RustedBones made their first contribution in #7389
- @ptrdom made their first contribution in #7393
- @minkyu97 made their first contribution in #7178
- @regiskuckaertz made their first contribution in #7392
- @Friendseeker made their first contribution in #7471
- @Tammo0987 made their first contribution in #7475
- @hagay3 made their first contribution in #7499
- @lrytz made their first contribution in #7480
Full Changelog: v1.9.9...v1.10.0-RC1
1.9.9
Bug fixes
- To fix
console
task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @hvesalai in #7503 / #7502 - To fix sbt 1.9.8's
UnsatisfiedLinkError
withstat
, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @eed3si9n in sbt/io#367
Full Changelog: v1.9.8...v1.9.9
1.9.8
updates
- Fixes
IO.getModifiedOrZero
on Alpine etc, by using clibstat()
instead of non-standard__xstat64
abi by @bratkartoffel in sbt/io#362 - As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @hvesalai in #7420
- Backports fix for
updateSbtClassifiers
not downloading sources #7437 by @azdrojowa123 - Backports missing logger methods that take Java Supplier #7447 by @mkurz
Full Changelog: v1.9.7...v1.9.8
1.10.0-M1
Zinc fixes
- Fixes IncOptions.useOptimizedSealed not working for Scala 2.13 by @Friendseeker in sbt/zinc#1278
- Includes extra invalidations in initial validation to fix initial compilation error by @Friendseeker in sbt/zinc#1284
- Refixes compact names w/o breaking local names by @dwijnand in sbt/zinc#1259
- Undoes Protobuf workaround for build to work on Apple Silicon by @Friendseeker in sbt/zinc#1277
- Uses
ClassTag
instead ofManifest
by @xuwei-k in sbt/zinc#1265 - Encodes parent trait private members in
extraHash
to propagateTraitPrivateMembersModified
across external dependency by @Friendseeker in sbt/zinc#1289 - Includes internal dependency in
extraHash
computation by @Friendseeker in sbt/zinc#1290 - Invalidates macro source when its dependency changes by @dwijnand in sbt/zinc#1282
- Deletes products of previous analysis when dropping previous analysis by @Friendseeker in sbt/zinc#1293
- Uses the most up-to-date analysis for binary to source class name lookup by @Friendseeker in sbt/zinc#1287
updates
- JLine 3.24.1 and JAnsi 2.4.0. by @hvesalai in #7419
- Adds a new CommandProgress API. by @dragos in #7350
- Update Coursier to 2.1.7 by @regiskuckaertz in #7392
- BSP: Implements
buildTarget/javacOptions
by @adpi2 in #7352 - Supports cross-build for external project ref by @RustedBones in #7389
- Fixes VM argument passing by
.sbtopts
file andJAVA_TOOL_OPTIONS
environmental variable by @ptrdom in #7393 - Avoids deprecated
java.net.URL
constructor by @xuwei-k in #7398 - Fixes bug of unmanagedResourceDirectories by @minkyu97 in #7178
- Make loading order alphabetical for plugins by @eed3si9n in #7404
- Fixes
updateSbtClassifiers
task by @azdrojowa123 in #7437
behind the scene
- Catches
NoSuchMethodError
when callrunFinalization
by @xuwei-k in #7399 - Includes uri in log of
dependencyBrowseTree
by @mkurz in #7396 - Documents scriptedSbt by @mdedetrich in #7383
- Keeps logger names in hash set by @Duhemm in #7386
- Minor updates on development guide by @eed3si9n in #7409
- Uses sourcePositionMappers to report BSP diagnostics by @adpi2 in #7417
- Updates test scala versions by @xuwei-k in #7406
- Addes missing logger methods that take Java Supplier by @mkurz in #7447
new contributors
- @RustedBones made their first contribution in #7389
- @ptrdom made their first contribution in #7393
- @minkyu97 made their first contribution in #7178
- @regiskuckaertz made their first contribution in #7392
- @Friendseeker made their first contribution in sbt/zinc#1277
Full Changelog: v1.9.6...v1.10.0-M1
1.9.7
Highlights
- sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in
IO.unzip
. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.
Zip Slip (arbitrary file write) vulnerability
See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.
Path traversal vulnerabilty was discovered in IO.unzip
code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.
Given a specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. The follow is an example of a malicious entry:
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
When executed on some path with six levels, IO.unzip
could then overwrite a file under /root/
. sbt main uses IO.unzip
only in pullRemoteCache
and Resolvers.remote
, however, many projects use IO.unzip(...)
directly to implement custom tasks and tests.
Non-determinism from AutoPlugins loading
We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.
sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.
Other updates and fixes
- Updates Coursier to 2.1.7 by @regiskuckaertz in #7392
- Updates Swoval to 2.1.12 by @eatkins in io#353.
- Fixes
.sbtopts
support forsbt
runner script on Windows by @ptrdom in #7393 - Adds documentation on
scriptedSbt
key by @mdedetrich in #7383 - Includes the URL in
dependencyBrowseTree
log by @mkurz in #7396
1.9.6
bug fix
- sbt 1.9.6 reverts "internal representation of class symbol names" change (sbt/zinc#1244), which caused Scala compiler to generate wrong anonymous class name by @eed3si9n in sbt/zinc#1256. See scala/bug#12868 for more details.
Full Changelog: v1.9.5...v1.9.6
1.9.5
Update:
scala/bug#12868 (comment)
highlights
- Switches to pre-compiled compiler bridge for Scala 2.13.12+ #7374 by @eed3si9n
- Fixes NPE when just
-X
is passed toscalacOptions
zinc#1246 by @unkarjedy
other updates
- Fixes internal representation of class symbol names zinc#1244 by @dwijnand
- Fixes
NumberFormatException
inCrossVersionUtil.binaryScalaVersion
lm#426 by @HelloKunal - Fixes
scripted
client/server instability on Windows #7087 by @mdedetrich - Fixes
sbt
launcher script bug on Windows #7365 by @JD557 - Fixes
help
command on oldshell #7358 by @azdrojowa123 - Adds
allModuleReports
toUpdateReport
lm#428 by @mdedetrich - Handles javac warning messages zinc#1228 by @Arthurm1
- Enables inliner for Scala 2.13 compiler bridge zinc#1247 by @mdedetrich
new contributors
- @azdrojowa123 made their first contribution in #7358
- @JD557 made their first contribution in #7367
Full Changelog: v1.9.4...v1.9.5
1.9.4
CVE-2022-46751
CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.
With coordination with Apache Foundation, Adrien Piquerez (@adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.
Other updates
- Fixes
sbt_script
lookup by replacing all spaces with%20
(not only the first one) in the path. by @arturaz in #7349 - Fixes scala-debug-adapter#543: Maintain order of internal deps by @adpi2 in #7347
- Removes
conscriptConfigs
task, not used and needed(?) anymore by @mkurz in #7353 - Adds a Scala 3 seed to the
sbt new
menu by @SethTisue in #7354
new contributors
Full Changelog: v1.9.3...v1.9.4