Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency sbt/sbt to v1.10.7 #21

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 9, 2024

This PR contains the following updates:

Package Update Change
sbt/sbt patch 1.10.0 -> 1.10.7

Release Notes

sbt/sbt (sbt/sbt)

v1.10.7: 1.10.7

Compare Source

🚀 features and other updates

🐛 bug fixes

🎬 behind the scene

Full Changelog: sbt/sbt@v1.10.6...v1.10.7

v1.10.6: 1.10.6

Compare Source

change with compatibility implication

  • deps: lm-coursier 2.1.6, which updates Coursier 2.1.14 → 2.1.19 by @​eed3si9n in https://github.com/sbt/sbt/pull/7920

    This release changes the way "BOMs" or "dependency management" are handled during resolution, and allows users to add BOMs to a resolution. This changes the way versions are picked when BOMs or dependency management are involved, which has an impact on the resolution of libraries from many JVM ecosystems, such as Apache Spark, Springboot, Quarkus, etc.

bug fixes and updates

behind the scene

new contributors

Full Changelog: sbt/sbt@v1.10.5...v1.10.6

v1.10.5: 1.10.5

Compare Source

updates

behind the scene

Full Changelog: sbt/sbt@v1.10.4...v1.10.5

v1.10.4: 1.10.4

Compare Source

updates and bug fixes

behind the scene

Full Changelog: sbt/sbt@v1.10.3...v1.10.4

v1.10.3: 1.10.3

Compare Source

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @​gabrieljones and was fixed by Jerry Tan (@​Friendseeker) in zinc#1443.

@​adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @​Friendseeker in https://github.com/sbt/sbt/pull/7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @​smarter (https://github.com/sbt/zinc/issues/598#issuecomment-449028234) and @​Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via https://github.com/sbt/zinc/pull/1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@​lihaoyi) in https://github.com/sbt/zinc/pull/1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via https://github.com/sbt/zinc/pull/1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @​Ichoran and @​Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in https://github.com/sbt/zinc/pull/1466.

bug fixes and updates
behind the scene

Full Changelog: sbt/sbt@v1.10.2...v1.10.3

v1.10.2: 1.10.2

Compare Source

Changes with compatibility implications

Updates and bug fixes

Behind the scenes

New contributors

Full Changelog: sbt/sbt@v1.10.0...v1.10.2

v1.10.1: 1.10.1

Compare Source

bug fixes and updates

behind the scenes

Full Changelog: sbt/sbt@v1.10.0...v1.10.1


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@rcardin rcardin added the maintanance Dependecy update request label Jul 11, 2024
@rcardin rcardin added this to the v0.0.4 milestone Jul 11, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 9bfbbe6 to b278a71 Compare September 16, 2024 08:13
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.1 Update dependency sbt/sbt to v1.10.2 Sep 16, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from b278a71 to 59162e3 Compare October 20, 2024 04:35
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.2 Update dependency sbt/sbt to v1.10.3 Oct 20, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 59162e3 to fd1092e Compare October 28, 2024 12:59
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.3 Update dependency sbt/sbt to v1.10.4 Oct 28, 2024
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.4 Update dependency sbt/sbt to v1.10.5 Nov 4, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from fd1092e to c3ef7fd Compare November 4, 2024 02:13
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.5 Update dependency sbt/sbt to v1.10.6 Nov 30, 2024
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from c3ef7fd to 484d3d9 Compare November 30, 2024 07:51
@renovate renovate bot force-pushed the renovate/sbt-sbt-1.x branch from 484d3d9 to 8b1dabf Compare December 23, 2024 04:10
@renovate renovate bot changed the title Update dependency sbt/sbt to v1.10.6 Update dependency sbt/sbt to v1.10.7 Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
maintanance Dependecy update request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant