chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
com.github.sbt:sbt-ci-release (source)	plugin	minor	1.8.0 -> 1.9.0
com.lihaoyi:os-lib		patch	0.11.1 -> 0.11.3
dev.zio:zio-logging-slf4j2 (source)		patch	2.3.1 -> 2.3.2
org.scoverage:sbt-scoverage (source)	plugin	patch	2.2.1 -> 2.2.2
sbt/sbt		patch	1.10.2 -> 1.10.3
ubuntu	github-runner	major	22.04 -> 24.04

---

Release Notes

sbt/sbt-ci-release (com.github.sbt:sbt-ci-release)

v1.9.0

Compare Source

com-lihaoyi/os-lib (com.lihaoyi:os-lib)

v0.11.3

Compare Source

v0.11.2

Compare Source

Merged Pull Requests

• Fixed typo on Readme.adoc by @​windymelt in https://github.com/com-lihaoyi/os-lib/pull/322
• Use Files.newOutputStream instead of new java.io.FileOutputStream by @​sake92 in https://github.com/com-lihaoyi/os-lib/pull/323

New Contributors

• @​windymelt made their first contribution in https://github.com/com-lihaoyi/os-lib/pull/322

Full Changelog: com-lihaoyi/os-lib@0.11.1...0.11.2

zio/zio-logging (dev.zio:zio-logging-slf4j2)

v2.3.2

Compare Source

What's Changed

• Update zio, zio-streams, zio-test, ... to 2.1.11 (#​895) @​scala-steward
• Add appendLoggerName aspect (#​893) @​somdoron
• CI - runs on ubuntu-22.04 (#​894) @​justcoon
• Update log4j-core, log4j-slf4j2-impl to 2.24.1 (#​892) @​scala-steward
• Update sbt-scalajs, scalajs-compiler, ... to 1.17.0 (#​889) @​scala-steward
• Update zio-http to 3.0.1 (#​887) @​scala-steward
• Update sbt to 1.10.2 (#​886) @​scala-steward
• Update zio-prelude to 1.0.0-RC31 (#​882) @​scala-steward
• Update formatting-log-records.md (#​881) @​neo773

scoverage/sbt-scoverage (org.scoverage:sbt-scoverage)

v2.2.2

Compare Source

What’s Changed

• Update sbt-ci-release to 1.8.0 (#​567) @​scala-steward
• run scalafmtSbtCheck in CI (#​566) @​xuwei-k
• remove unnecessary dependency (#​564) @​xuwei-k
• fix deprecated procedure syntax (#​563) @​xuwei-k
• add sbt/setup-sbt (#​565) @​xuwei-k
• Update sbt-ci-release to 1.7.0 (#​562) @​scala-steward
• Add Scala 3.3.4 around check to support excluded packages and filenames (#​561) @​a-morales

sbt/sbt (sbt/sbt)

v1.10.3: 1.10.3

Compare Source

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @​gabrieljones and was fixed by Jerry Tan (@​Friendseeker) in zinc#1443.

@​adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @​Friendseeker in https://github.com/sbt/sbt/pull/7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @​smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @​Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@​lihaoyi) in https://github.com/sbt/zinc/pull/1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @​Ichoran and @​Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.

bug fixes and updates

• deps: Updates metabuild Scala version to 2.12.20 by @​SethTisue in #​7636
• fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by @​Friendseeker in #​7695
• fix: Fixes transitive invalidation interfering with cycle stopping condition by @​Friendseeker in zinc#1397
• fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by @​adpi2 in lm#451
• fix: Fixes directory permission issue under a multi-user environment by @​eed3si9n in ipcsocket#43
• deps: Updates sbt init template deps by @​xuwei-k in #​7730
• Updates sbt runner to default to sbtn for sbt 2.x by @​eed3si9n in #​7775

behind the scene

• ci: Bump CI to JDK 21 by @​Friendseeker in https://github.com/sbt/sbt/pull/7760
• refactor: Remove deprecated System.runFinalization by @​Friendseeker in https://github.com/sbt/sbt/pull/7732
• refactor: Remove deprecated Thread.getId by @​Friendseeker in https://github.com/sbt/sbt/pull/7733
• refactor: Regenerate Contraband files by @​Friendseeker in https://github.com/sbt/sbt/pull/7764
• deps: Bump IO, ipc-socket, and launcher by @​eed3si9n in https://github.com/sbt/sbt/pull/7776
• deps: Zinc 1.10.3 by @​eed3si9n in https://github.com/sbt/sbt/pull/7781
• deps: lm 1.10.2 by @​eed3si9n in https://github.com/sbt/sbt/pull/7782
• ci: Set a default timeout for ci by @​nathanlao in https://github.com/sbt/sbt/pull/7766
• ci: Removes vscode-sbt-scala from build.sbt by @​Friendseeker in https://github.com/sbt/sbt/pull/7728
• ci: Adds dependabot setting for develop branch by @​xuwei-k in https://github.com/sbt/sbt/pull/7701

Full Changelog: sbt/sbt@v1.10.2...v1.10.3

---

Configuration

📅 Schedule: Branch creation - "before 9am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.