Skip to content

Update dependency sbt/sbt to v1.11.0 #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency sbt/sbt to v1.11.0 #21

wants to merge 1 commit into from
+1 −1

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 6, 2024
edited
Loading

This PR contains the following updates:

Package Update Change
sbt/sbt minor 1.9.9 -> 1.11.0

Release Notes

sbt/sbt (sbt/sbt)

v1.11.0: 1.11.0

Compare Source

Central Repository publishing

The Central Repository (aka Maven Central) has long been the pillar of the JVM ecosystem including Scala. The mechanism to publish libraries to the Central has been hosted by Sonatype as OSS Repository Hosting (OSSRH) via HTTP PUT, but in March it was announced that the endpoint will be sunset in June 2025 in favor of the Central Portal at https://central.sonatype.com/.

sbt 1.11.0 implements a built-in support to publish to Central Repository via the Central Portal. To publish to the Central Portal, first set ThisBuild / publishTo setting to the localStaging repository:

ThisBuild / publishTo := {
  val centralSnapshots = "https://central.sonatype.com/repository/maven-snapshots/"
  if (isSnapshot.value) Some("central-snapshots" at centralSnapshots)
  else localStaging.value
}

Add credentials to the host central.sonatype.com using the generated user token user name and password. When you're ready to publish, call publishSigned task (available via sbt-pgp). At this point, the JARs and POM files will be staged to your local target/sona-staging directory.

Next, call sonaUpload to upload to the Central Portal and manually release the bundle, or call sonaRelease to upload and automatically release to the Central Repository.

This was contributed by @​eed3si9n in #​8126. The feature was inspired by sbt-sonatype workflow pioneered by Taro Saito, and sonatype-central-client spearheaded by David Doyle at Lumidion.

Other updates

Full Changelog: sbt/sbt@v1.10.11...v1.11.0

v1.10.11: 1.10.11

Compare Source

updates
🐛 bug fixes

Full Changelog: sbt/sbt@v1.10.10...v1.10.11

v1.10.10: 1.10.10

Compare Source

🐛 bug fixes

Full Changelog: sbt/sbt@v1.10.9...v1.10.10

v1.10.9: 1.10.9

Compare Source

🚀 features and other updates
🐛 bug fixes
🎬 behind the scene
new contributors

Full Changelog: sbt/sbt@v1.10.7...v1.10.9

v1.10.8: 1.10.8

Compare Source

sbt 1.10.8 is dead on arrival, please use 1.10.9 when it comes out.

v1.10.7: 1.10.7

Compare Source

🚀 features and other updates

Build directory detection

Starting 1.10.7, the sbt runner script enables build directory detection by default. This means that the sbt will exit with error when launched in a directory without build.sbt or project/, with exceptions of sbt new, sbt --script-version etc.

To override this behavior temporarily, you can use --allow-empty flag. To permanently opt out of the build directory detection, create $XDG_CONFIG_HOME/sbt/sbtopts with --allow-empty in it.

csrMavenDependencyOverride setting

sbt 1.10.7 updates Coursier from 2.1.19 → 2.1.22. sbt 1.10.7 also adds a new setting csrMavenDependencyOverride (default: false), which controls the resolution, which respects Maven dependency override mechanism, also known as bill-of-materials (BOM) POM. Since there is a performance regression in the new resolver, we are setting the default to false.

🐛 bug fixes

🎬 behind the scene

Full Changelog: sbt/sbt@v1.10.6...v1.10.7

v1.10.6: 1.10.6

Compare Source

change with compatibility implication

  • deps: lm-coursier 2.1.6, which updates Coursier 2.1.14 → 2.1.19 by @​eed3si9n in https://github.com/sbt/sbt/pull/7920

    This release changes the way "BOMs" or "dependency management" are handled during resolution, and allows users to add BOMs to a resolution. This changes the way versions are picked when BOMs or dependency management are involved, which has an impact on the resolution of libraries from many JVM ecosystems, such as Apache Spark, Springboot, Quarkus, etc.

bug fixes and updates

behind the scene

new contributors

Full Changelog: sbt/sbt@v1.10.5...v1.10.6

v1.10.5: 1.10.5

Compare Source

updates

behind the scene

Full Changelog: sbt/sbt@v1.10.4...v1.10.5

v1.10.4: 1.10.4

Compare Source

updates and bug fixes

behind the scene

Full Changelog: sbt/sbt@v1.10.3...v1.10.4

v1.10.3: 1.10.3

Compare Source

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @​gabrieljones and was fixed by Jerry Tan (@​Friendseeker) in zinc#1443.

@​adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @​Friendseeker in https://github.com/sbt/sbt/pull/7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @​smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @​Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@​lihaoyi) in https://github.com/sbt/zinc/pull/1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @​Ichoran and @​Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.

bug fixes and updates

behind the scene

Full Changelog: sbt/sbt@v1.10.2...v1.10.3

v1.10.2: 1.10.2

Compare Source

Changes with compatibility implications

Updates and bug fixes

Behind the scenes

New contributors

Full Changelog: sbt/sbt@v1.10.0...v1.10.2

v1.10.1: 1.10.1

Compare Source

bug fixes and updates

behind the scenes

Full Changelog: sbt/sbt@v1.10.0...v1.10.1

v1.10.0: 1.10.0

Compare Source

Changes with compatibility implications

  • For SIP-51 support, scalaVersion can no longer be a lower 2.13.x version number than its transitive depdencies. See below for details.
  • ConsistentAnalysisFormat is enabled by default. See below for details.
  • Updates lm-coursier-shaded to 2.1.4, which brings in Coursier 2.1.9 #​7513.
  • Updates Jsch to mwiede/jsch fork by @​azolotko in lm#436
  • Updates the Scala version used by sbt 1.x to 2.12.19 by @​SethTisue in #​7516.

SIP-51 Support for Scala 2.13 Evolution

Modern Scala 2.x has kept both forward and backward binary compatibility so a library compiled using Scala 2.13.12 can be used by an application compiled with Scala 2.13.11 etc, and vice versa. The forward compatibility restricts Scala 2.x from evolving during the patch releases, so in SIP-51 Lukas Rytz at Lightbend Scala Team proposed:

I propose to drop the forwards binary compatibility requirement that build tools enforce on the Scala 2.13 standard library. This will allow implementing performance optimizations of collection operations that are currently not possible. It also unblocks adding new classes and new members to existing classes in the standard library.

Lukas has also contributed changes to sbt 1.10.0 to enforce stricter scalaVersion. Starting sbt 1.10.0, when a Scala 2.13.x patch version newer than scalaVersion is found, it will fail the build as follows:

sbt:foo> run
[error] stack trace is suppressed; run last scalaInstance for the full output
[error] (scalaInstance) expected `foo/scalaVersion` to be "2.13.10" or later,
[error] but found "2.13.5"; upgrade scalaVerion to fix the build.
[error]
[error] to support backwards-only binary compatibility (SIP-51),
[error] the Scala 2.13 compiler cannot be older than scala-library on the
[error] dependency classpath.
[error] see `foo/evicted` to know why scala-library 2.13.10 is getting pulled in.

When you see the error message like above, you can fix this by updating the Scala version to the suggested version (e.g. 2.13.10):

ThisBuild / scalaVersion := "2.13.10"

Side note: Old timers might know that sbt 0.13.0 also introduced the idea of scala-library as a normal dependency. This created various confusions as developers expected scalaVersion, compiler version, and scala-library version as expected to align. With the hindsight, sbt 1.10.0 will continue to respect scalaVersion to be the source-of-truth, but will reject bad ones at build time.

This was contributed by Lukas Rytz in #​7480.

Zinc fixes

ConsistentAnalysisFormat: new Zinc Analysis serialization

sbt 1.10.0 adds a new Zinc serialization format that is faster and repeatable, unlike the current Protobuf-based serialization. Benchmark data based on scala-library + reflect + compiler:

Write time Read time File size
sbt Text 1002 ms 791 ms ~ 7102 kB
sbt Binary 654 ms 277 ms ~ 6182 kB
ConsistentBinary 157 ms 100 ms 3097 kB

Since Zinc Analysis is internal to sbt, sbt 1.10.0 will enable this format by default. The following setting can be used to opt-out:

Global / enableConsistentCompileAnalysis := false

This was contributed by Stefan Zeiger at Databricks in zinc#1326.

New CommandProgress API

sbt 1.10.0 adds a new CommandProgress API.

This was contributed by Iulian Dragos at Gradle Inc in #​7350.

Other updates

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 1a94133 to 6a86a54 Compare July 7, 2024 23:30
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.0 Update dependency sbt/sbt to v1.10.1 Jul 7, 2024
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.1 Update dependency sbt/sbt to v1.10.2 Sep 16, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 6a86a54 to bc2cb57 Compare September 16, 2024 03:59
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.2 Update dependency sbt/sbt to v1.10.3 Oct 20, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from bc2cb57 to 3729b5b Compare October 20, 2024 04:50
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 3729b5b to acbdd56 Compare October 28, 2024 11:21
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.3 Update dependency sbt/sbt to v1.10.4 Oct 28, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from acbdd56 to 781197c Compare November 4, 2024 03:43
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.4 Update dependency sbt/sbt to v1.10.5 Nov 4, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 781197c to 59dbb27 Compare November 30, 2024 09:40
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.5 Update dependency sbt/sbt to v1.10.6 Nov 30, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 59dbb27 to b3b8671 Compare December 23, 2024 07:10
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.6 Update dependency sbt/sbt to v1.10.7 Dec 23, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from b3b8671 to 0fb4c4b Compare March 3, 2025 22:32
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.7 Update dependency sbt/sbt to v1.10.9 Mar 3, 2025
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 0fb4c4b to 354d34e Compare March 4, 2025 07:32
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.9 Update dependency sbt/sbt to v1.10.10 Mar 4, 2025
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 354d34e to 55a3f22 Compare March 17, 2025 07:10
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.10 Update dependency sbt/sbt to v1.10.11 Mar 17, 2025
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 55a3f22 to bbe9a18 Compare May 24, 2025 09:25
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.11 Update dependency sbt/sbt to v1.11.0 May 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants