Update dependency sbt/sbt to v1.9.7 #35

Merged

renovate[bot] merged 1 commit from renovate/sbt-sbt-1.x into master

2023-11-01 12:14:55 +00:00

renovate[bot] commented

2023-11-01 01:57:08 +00:00

(Migrated from github.com)

This PR contains the following updates:

Package	Update	Change
sbt/sbt	patch	`1.9.4` -> `1.9.7`

Release Notes

sbt/sbt (sbt/sbt)

`v1.9.7`: 1.9.7

Compare Source

Highlights

sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@xuwei-k), and fixed by @eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @eed3si9n in #7404.

Other updates and fixes

Updates Coursier to 2.1.7 by @regiskuckaertz in #7392
Updates Swoval to 2.1.12 by @eatkins in io#353.
Fixes .sbtopts support for sbt runner script on Windows by @ptrdom in #7393
Adds documentation on scriptedSbt key by @mdedetrich in #7383
Includes the URL in dependencyBrowseTree log by @mkurz in #7396

`v1.9.6`: 1.9.6

Compare Source

bug fix

sbt 1.9.6 reverts "internal representation of class symbol names" change (https://github.com/sbt/zinc/pull/1244), which caused Scala compiler to generate wrong anonymous class name by @eed3si9n in https://github.com/sbt/zinc/pull/1256. See https://github.com/scala/bug/issues/12868 for more details.

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.5...v1.9.6

`v1.9.5`: 1.9.5

Compare Source

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704

highlights

Switches to pre-compiled compiler bridge for Scala 2.13.12+ #7374 by @eed3si9n
Fixes NPE when just -X is passed to scalacOptions zinc#1246 by @unkarjedy

other updates

Fixes internal representation of class symbol names zinc#1244 by @dwijnand
Fixes NumberFormatException in CrossVersionUtil.binaryScalaVersion lm#426 by @HelloKunal
Fixes scripted client/server instability on Windows #7087 by @mdedetrich
Fixes sbt launcher script bug on Windows #7365 by @JD557
Fixes help command on oldshell #7358 by @azdrojowa123
Adds allModuleReports to UpdateReport lm#428 by @mdedetrich
Handles javac warning messages zinc#1228 by @Arthurm1
Enables inliner for Scala 2.13 compiler bridge zinc#1247 by @mdedetrich

new contributors

@azdrojowa123 made their first contribution in https://github.com/sbt/sbt/pull/7358
@JD557 made their first contribution in https://github.com/sbt/sbt/pull/7367

Full Changelog: https://github.com/sbt/sbt/compare/v1.9.4...v1.9.5

Configuration

📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [sbt/sbt](https://togithub.com/sbt/sbt) | patch | `1.9.4` -> `1.9.7` | --- ### Release Notes <details> <summary>sbt/sbt (sbt/sbt)</summary> ### [`v1.9.7`](https://togithub.com/sbt/sbt/releases/tag/v1.9.7): 1.9.7 [Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.6...v1.9.7) ##### Highlights - sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in `IO.unzip`. This was discovered and reported by Kenji Yoshida ([@xuwei-k][@xuwei-k]), and fixed by [@eed3si9n][@eed3si9n] in [io#360][io360]. ##### Zip Slip (arbitrary file write) vulnerability See <https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf> for the most up to date information. This affects all sbt versions prior to 1.9.7. Path traversal vulnerabilty was discovered in `IO.unzip` code. This is a very common vulnerability known as [Zip Slip](https://security.snyk.io/research/zip-slip-vulnerability), and was found and fixed in plexus-archiver, Ant, etc. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry: +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys When executed on some path with six levels, `IO.unzip` could then overwrite a file under `/root/`. sbt main uses `IO.unzip` only in `pullRemoteCache` and `Resolvers.remote`, however, many projects use `IO.unzip(...)` directly to implement custom tasks and tests. ##### Non-determinism from AutoPlugins loading We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other. sbt 1.9.7 attempts to fix non-determinism of plugin loading order. This was contributed by [@eed3si9n][@eed3si9n] in [#7404][7404]. ##### Other updates and fixes - Updates Coursier to 2.1.7 by [@regiskuckaertz][@regiskuckaertz] in [#7392][7392] - Updates Swoval to 2.1.12 by [@eatkins][@eatkins] in [io#353][io353]. - Fixes `.sbtopts` support for `sbt` runner script on Windows by [@ptrdom][@ptrdom] in [#7393][7393] - Adds documentation on `scriptedSbt` key by [@mdedetrich][@mdedetrich] in [#7383][7383] - Includes the URL in `dependencyBrowseTree` log by [@mkurz][@mkurz] in [#7396][7396] [@eed3si9n]: https://togithub.com/eed3si9n [@Nirvikalpa108]: https://togithub.com/Nirvikalpa108 [@adpi2]: https://togithub.com/adpi2 [@er1c]: https://togithub.com/er1c [@eatkins]: https://togithub.com/eatkins [@dwijnand]: https://togithub.com/dwijnand [@xuwei-k]: https://togithub.com/xuwei-k [@regiskuckaertz]: https://togithub.com/regiskuckaertz [@ptrdom]: https://togithub.com/ptrdom [@mdedetrich]: https://togithub.com/mdedetrich [@mkurz]: https://togithub.com/mkurz [7404]: https://togithub.com/sbt/sbt/pull/7404 [7392]: https://togithub.com/sbt/sbt/pull/7392 [7393]: https://togithub.com/sbt/sbt/pull/7393 [7396]: https://togithub.com/sbt/sbt/pull/7396 [7383]: https://togithub.com/sbt/sbt/pull/7383 [io353]: https://togithub.com/sbt/io/pull/353 [io360]: https://togithub.com/sbt/io/pull/360 ### [`v1.9.6`](https://togithub.com/sbt/sbt/releases/tag/v1.9.6): 1.9.6 [Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.5...v1.9.6) #### bug fix - sbt 1.9.6 reverts "internal representation of class symbol names" change ([https://github.com/sbt/zinc/pull/1244](https://togithub.com/sbt/zinc/pull/1244)), which caused Scala compiler to generate wrong anonymous class name by [@eed3si9n](https://togithub.com/eed3si9n) in [https://github.com/sbt/zinc/pull/1256](https://togithub.com/sbt/zinc/pull/1256). See [https://github.com/scala/bug/issues/12868](https://togithub.com/scala/bug/issues/12868) for more details. **Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.5...v1.9.6 ### [`v1.9.5`](https://togithub.com/sbt/sbt/releases/tag/v1.9.5): 1.9.5 [Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.4...v1.9.5) **Update**: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it. [https://github.com/scala/bug/issues/12868#issuecomment-1720848704](https://togithub.com/scala/bug/issues/12868#issuecomment-1720848704) #### highlights - Switches to pre-compiled compiler bridge for Scala 2.13.12+ [#7374][7374] by [@eed3si9n][@eed3si9n] - Fixes NPE when just `-X` is passed to `scalacOptions` [zinc#1246][zinc1246] by [@unkarjedy][@unkarjedy] #### other updates - Fixes internal representation of class symbol names [zinc#1244][zinc1244] by [@dwijnand][@dwijnand] - Fixes `NumberFormatException` in `CrossVersionUtil.binaryScalaVersion` [lm#426][lm426] by [@HelloKunal][@HelloKunal] - Fixes `scripted` client/server instability on Windows [#7087][7087] by [@mdedetrich][@mdedetrich] - Fixes `sbt` launcher script bug on Windows [#7365][7365] by [@JD557][@JD557] - Fixes `help` command on oldshell [#7358][7358] by [@azdrojowa123][@azdrojowa123] - Adds `allModuleReports` to `UpdateReport` [lm#428][lm428] by [@mdedetrich][@mdedetrich] - Handles javac warning messages [zinc#1228][zinc1228] by [@Arthurm1][@Arthurm1] - Enables inliner for Scala 2.13 compiler bridge [zinc#1247][zinc1247] by [@mdedetrich][@mdedetrich] #### new contributors - [@azdrojowa123](https://togithub.com/azdrojowa123) made their first contribution in [https://github.com/sbt/sbt/pull/7358](https://togithub.com/sbt/sbt/pull/7358) - [@JD557](https://togithub.com/JD557) made their first contribution in [https://github.com/sbt/sbt/pull/7367](https://togithub.com/sbt/sbt/pull/7367) **Full Changelog**: https://github.com/sbt/sbt/compare/v1.9.4...v1.9.5 [@eed3si9n]: https://togithub.com/eed3si9n [@Nirvikalpa108]: https://togithub.com/Nirvikalpa108 [@adpi2]: https://togithub.com/adpi2 [@er1c]: https://togithub.com/er1c [@eatkins]: https://togithub.com/eatkins [@dwijnand]: https://togithub.com/dwijnand [@mdedetrich]: https://togithub.com/mdedetrich [@JD557]: https://togithub.com/JD557 [@azdrojowa123]: https://togithub.com/azdrojowa123 [@HelloKunal]: https://togithub.com/HelloKunal [@unkarjedy]: https://togithub.com/unkarjedy [@Arthurm1]: https://togithub.com/Arthurm1 [7374]: https://togithub.com/sbt/sbt/pull/7374 [7087]: https://togithub.com/sbt/sbt/pull/7087 [7365]: https://togithub.com/sbt/sbt/issues/7365 [7358]: https://togithub.com/sbt/sbt/pull/7358 [zinc1246]: https://togithub.com/sbt/zinc/pull/1246 [zinc1244]: https://togithub.com/sbt/zinc/pull/1244 [zinc1228]: https://togithub.com/sbt/zinc/pull/1228 [zinc1247]: https://togithub.com/sbt/zinc/pull/1247 [lm426]: https://togithub.com/sbt/librarymanagement/pull/426 [lm428]: https://togithub.com/sbt/librarymanagement/pull/428 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/navicore/navi-xml).