chore(deps): update dependency sbt/sbt to v1.9.7

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	patch	1.9.2 -> 1.9.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

sbt/sbt (sbt/sbt)

v1.9.7: 1.9.7

Compare Source

Highlights

• sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

• Updates Coursier to 2.1.7 by @​regiskuckaertz in #​7392
• Updates Swoval to 2.1.12 by @​eatkins in io#353.
• Fixes .sbtopts support for sbt runner script on Windows by @​ptrdom in #​7393
• Adds documentation on scriptedSbt key by @​mdedetrich in #​7383
• Includes the URL in dependencyBrowseTree log by @​mkurz in #​7396

v1.9.6: 1.9.6

Compare Source

bug fix

• sbt 1.9.6 reverts "internal representation of class symbol names" change (https://github.com/sbt/zinc/pull/1244), which caused Scala compiler to generate wrong anonymous class name by @​eed3si9n in https://github.com/sbt/zinc/pull/1256. See https://github.com/scala/bug/issues/12868 for more details.

Full Changelog: sbt/sbt@v1.9.5...v1.9.6

v1.9.5: 1.9.5

Compare Source

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
https://github.com/scala/bug/issues/12868#issuecomment-1720848704

highlights

• Switches to pre-compiled compiler bridge for Scala 2.13.12+ #​7374 by @​eed3si9n
• Fixes NPE when just -X is passed to scalacOptions zinc#1246 by @​unkarjedy

other updates

• Fixes internal representation of class symbol names zinc#1244 by @​dwijnand
• Fixes NumberFormatException in CrossVersionUtil.binaryScalaVersion lm#426 by @​HelloKunal
• Fixes scripted client/server instability on Windows #​7087 by @​mdedetrich
• Fixes sbt launcher script bug on Windows #​7365 by @​JD557
• Fixes help command on oldshell #​7358 by @​azdrojowa123
• Adds allModuleReports to UpdateReport lm#428 by @​mdedetrich
• Handles javac warning messages zinc#1228 by @​Arthurm1
• Enables inliner for Scala 2.13 compiler bridge zinc#1247 by @​mdedetrich

new contributors

• @​azdrojowa123 made their first contribution in https://github.com/sbt/sbt/pull/7358
• @​JD557 made their first contribution in https://github.com/sbt/sbt/pull/7367

Full Changelog: sbt/sbt@v1.9.4...v1.9.5

v1.9.4: 1.9.4

Compare Source

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@​adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

• Fixes sbt_script lookup by replacing all spaces with %20 (not only the first one) in the path. by @​arturaz in https://github.com/sbt/sbt/pull/7349
• Fixes scala-debug-adapter#543: Maintain order of internal deps by @​adpi2 in https://github.com/sbt/sbt/pull/7347
• Removes conscriptConfigs task, not used and needed(?) anymore by @​mkurz in https://github.com/sbt/sbt/pull/7353
• Adds a Scala 3 seed to the sbt new menu by @​SethTisue in https://github.com/sbt/sbt/pull/7354

new contributors

• @​arturaz made their first contribution in https://github.com/sbt/sbt/pull/7349

Full Changelog: sbt/sbt@v1.9.3...v1.9.4

v1.9.3: 1.9.3

Compare Source

Actionable diagnostics (aka quickfix)

Actionable diagnostics, or quickfix, is an area in Scala tooling that's been getting attention since Chris Kipp presented it in the March 2023 Tooling Summit. Chris has written the roadmap and sent sbt/sbt#7242 that kickstarted the effort, but now there's been steady progress in Build Server Protocol, Dotty, Scala 2.13, IntelliJ, Zinc, etc. Metals 1.0.0, for example, is now capable of surfacing code actions as a quickfix.

sbt 1.9.3 adds a new interface called AnalysisCallback2 to relay code actions from the compiler(s) to Zinc's Analysis file. Future version of Scala 2.13.x (and hopefully Scala 3) will release with proper code actions, but as a demo I've implemented a code action for procedure syntax usages even on current Scala 2.13.11 with -deprecation flag.

This was contributed by Eugene Yokota (@​eed3si9n) in zinc#1226. Special thanks to @​lrytz for identifying this issue in zinc#1214.

other updates

• Adds M1/M2/Aarch64 build of sbtn into the installer by @​julienrf in https://github.com/sbt/sbt/pull/7329
• Fixes scripted tests timing out after 5 minutes by @​eed3si9n in https://github.com/sbt/sbt/pull/7336

Full Changelog: sbt/sbt@v1.9.2...v1.9.3

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.