Update dependency sbt/sbt to v1.10.4

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	patch	1.10.0 -> 1.10.4

---

Release Notes

sbt/sbt (sbt/sbt)

v1.10.4: 1.10.4

Compare Source

updates and bug fixes

• fix: Fixes Jansi deprecation notice by switching to jline-terminal-jni by @​Friendseeker in https://github.com/sbt/sbt/pull/7811
• fix: Fixes GLIBC_2.32 issue on sbtn by statically linking musl by @​Friendseeker in https://github.com/sbt/sbt/pull/7823
• fix: Throw exception when sbt new fails to find template by @​Friendseeker in https://github.com/sbt/sbt/pull/7835
• fix: Fixes ~ with Global / onChangedBuildSource := ReloadOnSourceChanges by @​Friendseeker in https://github.com/sbt/sbt/pull/7838
• fix: Fixes "Unrecognized option: --server" error on BSP server by @​eed3si9n in https://github.com/sbt/sbt/pull/7824
• fix: Fixes pipelined build while changing version frequently by @​Friendseeker in https://github.com/sbt/sbt/pull/7830
• fix: Change the default analysis format to older binary, and make Consistent Analysis opt-in by @​Friendseeker in https://github.com/sbt/sbt/pull/7807

behind the scene

• ci: Bump supported JDK version to 21 in DEVELOPING.md by @​Friendseeker in https://github.com/sbt/sbt/pull/7784
• ci: Bump sbt to 1.10.3 by @​Friendseeker in https://github.com/sbt/sbt/pull/7802
• ci: Bump TEST_SBT_VER to 1.10.3 & remove unused CI variables by @​Friendseeker in https://github.com/sbt/sbt/pull/7825
• ci: Delete .java-version to not fix java version to 1.8 by @​Friendseeker in https://github.com/sbt/sbt/pull/7827
• deps: Bump Scala 2.13 to 2.13.15 by @​Friendseeker in https://github.com/sbt/sbt/pull/7798
• deps: Bump JLine to 3.27.1 by @​Friendseeker in https://github.com/sbt/sbt/pull/7829
• deps: Zinc 1.10.4 by @​eed3si9n in https://github.com/sbt/sbt/pull/7839
• refactor: Remove two unused methods that depends on Analysis Timestamp by @​Friendseeker in https://github.com/sbt/sbt/pull/7787
• refactor: Deprecate useJCenter key by @​Philippus in https://github.com/sbt/sbt/pull/7822

Full Changelog: sbt/sbt@v1.10.3...v1.10.4

v1.10.3: 1.10.3

Compare Source

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @​gabrieljones and was fixed by Jerry Tan (@​Friendseeker) in zinc#1443.

@​adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @​Friendseeker in https://github.com/sbt/sbt/pull/7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @​smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @​Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@​lihaoyi) in https://github.com/sbt/zinc/pull/1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @​Ichoran and @​Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.

bug fixes and updates

• deps: Updates metabuild Scala version to 2.12.20 by @​SethTisue in #​7636
• fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by @​Friendseeker in #​7695
• fix: Fixes transitive invalidation interfering with cycle stopping condition by @​Friendseeker in zinc#1397
• fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by @​adpi2 in lm#451
• fix: Fixes directory permission issue under a multi-user environment by @​eed3si9n in ipcsocket#43
• deps: Updates sbt init template deps by @​xuwei-k in #​7730
• Updates sbt runner to default to sbtn for sbt 2.x by @​eed3si9n in #​7775

behind the scene

• ci: Bump CI to JDK 21 by @​Friendseeker in https://github.com/sbt/sbt/pull/7760
• refactor: Remove deprecated System.runFinalization by @​Friendseeker in https://github.com/sbt/sbt/pull/7732
• refactor: Remove deprecated Thread.getId by @​Friendseeker in https://github.com/sbt/sbt/pull/7733
• refactor: Regenerate Contraband files by @​Friendseeker in https://github.com/sbt/sbt/pull/7764
• deps: Bump IO, ipc-socket, and launcher by @​eed3si9n in https://github.com/sbt/sbt/pull/7776
• deps: Zinc 1.10.3 by @​eed3si9n in https://github.com/sbt/sbt/pull/7781
• deps: lm 1.10.2 by @​eed3si9n in https://github.com/sbt/sbt/pull/7782
• ci: Set a default timeout for ci by @​nathanlao in https://github.com/sbt/sbt/pull/7766
• ci: Removes vscode-sbt-scala from build.sbt by @​Friendseeker in https://github.com/sbt/sbt/pull/7728
• ci: Adds dependabot setting for develop branch by @​xuwei-k in https://github.com/sbt/sbt/pull/7701

Full Changelog: sbt/sbt@v1.10.2...v1.10.3

v1.10.2: 1.10.2

Compare Source

Changes with compatibility implications

• Uses _sbt2_3 suffix for sbt 2.x by @​eed3si9n in https://github.com/sbt/sbt/pull/7671

Updates and bug fixes

• Fixes the attribute key name from serverIdleTimeOut to serverIdleTimeout to match the variable name by @​lervag in https://github.com/sbt/sbt/pull/7651
• Fixes incremental Scala-Java mixed compilation that produces JAR directly by @​adpi2 in https://github.com/sbt/zinc/pull/1377
• Fixes over-compilation when using a class directory as a library by @​adpi2 in https://github.com/sbt/zinc/pull/1382
• Perf: Copy bytes directly instead of using scala.reflect.io.Streamable by @​rochala in https://github.com/sbt/zinc/pull/1395
• Includes all sources and resources in source jar by @​jroper in https://github.com/sbt/sbt/pull/7630
• Fixes the handling of Optional inter-project dependency in BSP by @​adpi2 in https://github.com/sbt/sbt/pull/7568
• Trims spaces around k and v to tolerate extra whitespace in build.properties by @​invadergir in https://github.com/sbt/sbt/pull/7585
• Fixes legacy repositories like scala-tools-releases in repositories file blocking sbt from launching by @​eed3si9n in https://github.com/sbt/launcher/pull/104
• Fixes stale BSP diagnostics by @​SlowBrainDude in https://github.com/sbt/sbt/pull/7610
• Fixes scripted support for sbt 2.x by @​eed3si9n in https://github.com/sbt/sbt/pull/7672
• Avoids using ThreadDeath for future JDK compatibility by @​xuwei-k in https://github.com/sbt/sbt/pull/7652
• Avoids using ZipError for future JDK compatibility by @​eed3si9n in https://github.com/sbt/zinc/pull/1393

Behind the scenes

• Update to Zinc 1.10.2 by @​eed3si9n in https://github.com/sbt/sbt/pull/7674
• Update to lm 1.10.1 by @​eed3si9n in https://github.com/sbt/sbt/pull/7597
• Update to Launcher 1.4.3 by @​eed3si9n in https://github.com/sbt/sbt/pull/7598
• Update to the common Scala 2.12 version for the sbtn subproject by @​SlowBrainDude in https://github.com/sbt/sbt/pull/7605
• Note in dev docs on supported build time JDK version dependency by @​SlowBrainDude in https://github.com/sbt/sbt/pull/7606
• CI: Zinc default branch is 1.10.x by @​adpi2 in https://github.com/sbt/sbt/pull/7654
• Upgrade sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in https://github.com/sbt/sbt/pull/7555
• Update Scala 3 doc test by @​eed3si9n in https://github.com/sbt/sbt/pull/7619
• Bump scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in https://github.com/sbt/sbt/pull/7565
• Fixes dependency-management/force-update-period test (backport of #​7538) by @​adpi2 in https://github.com/sbt/sbt/pull/7567
• Fixes BuildServerTest by @​adpi2 in https://github.com/sbt/sbt/pull/7638

New contributors

• @​invadergir made their first contribution in https://github.com/sbt/sbt/pull/7585
• @​rochala made their first contribution in https://github.com/sbt/zinc/pull/1395
• @​SlowBrainDude made their first contribution in https://github.com/sbt/sbt/pull/7606
• @​lervag made their first contribution in https://github.com/sbt/sbt/pull/7651

Full Changelog: sbt/sbt@v1.10.0...v1.10.2

v1.10.1: 1.10.1

Compare Source

bug fixes and updates

• Fixes column/position information missing from the javac error messages in IntelliJ by @​vasilmkd in https://github.com/sbt/zinc/pull/1373
• Fixes backslash handling in expandMavenSettings by @​desbo in https://github.com/sbt/librarymanagement/pull/444
• Fixes JSON serialization of Map and LList in sjson-new 0.10.1 by @​steinybot + @​eed3si9n in https://github.com/eed3si9n/sjson-new/pull/142
• Fixes the hash code for empty files in the classpath cache by @​szeiger in https://github.com/sbt/zinc/pull/1366
• Fixes forceUpdatePeriod by @​adpi2 in https://github.com/sbt/sbt/pull/7567
• Fixes BSP handling of Optional inter-project dependencies by @​adpi2 in https://github.com/sbt/sbt/pull/7568
• Ignores jcenter and scala-tools-releases entries in the ~/.sbt/repositories file by @​eed3si9n in https://github.com/sbt/launcher/pull/104

behind the scenes

• Updates sbt plugins to avoid deprecated repo.scala-sbt.org by @​mkurz in https://github.com/sbt/sbt/pull/7555
• Updates scalacenter/sbt-dependency-submission from 2 to 3 by @​dependabot in https://github.com/sbt/sbt/pull/7565

Full Changelog: sbt/sbt@v1.10.0...v1.10.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.