Update dependency sbt/sbt to v1.9.9

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	patch	1.9.3 -> 1.9.9

---

Release Notes

sbt/sbt (sbt/sbt)

v1.9.9: 1.9.9

Compare Source

Bug fixes

• To fix console task on Scala 2.13.13, sbt 1.9.9 backports updates to JLine 3.24.1 and JAnsi 2.4.0 by @​hvesalai in #​7503 / #​7502
• To fix sbt 1.9.8's UnsatisfiedLinkError with stat, sbt 1.9.9 removes native code that was used to get the millisecond-precision timestamp that was broken (JDK-8177809) on JDK 8 prior to OpenJDK 8u302 by @​eed3si9n in sbt/io#367

Full Changelog: sbt/sbt@v1.9.8...v1.9.9

v1.9.8: 1.9.8

Compare Source

updates

• Fixes IO.getModifiedOrZero on Alpine etc, by using clib stat() instead of non-standard __xstat64 abi by @​bratkartoffel in sbt/io#362
• As a temporary fix for JLine issue, this disables vi-style effects inside emacs by @​hvesalai in #​7420
• Backports fix for updateSbtClassifiers not downloading sources #​7437 by @​azdrojowa123
• Backports missing logger methods that take Java Supplier #​7447 by @​mkurz

Full Changelog: sbt/sbt@v1.9.7...v1.9.8

v1.9.7: 1.9.7

Compare Source

Highlights

• sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.

Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

• Updates Coursier to 2.1.7 by @​regiskuckaertz in #​7392
• Updates Swoval to 2.1.12 by @​eatkins in io#353.
• Fixes .sbtopts support for sbt runner script on Windows by @​ptrdom in #​7393
• Adds documentation on scriptedSbt key by @​mdedetrich in #​7383
• Includes the URL in dependencyBrowseTree log by @​mkurz in #​7396

v1.9.6: 1.9.6

Compare Source

bug fix

• sbt 1.9.6 reverts "internal representation of class symbol names" change (sbt/zinc#1244), which caused Scala compiler to generate wrong anonymous class name by @​eed3si9n in sbt/zinc#1256. See scala/bug#12868 for more details.

Full Changelog: sbt/sbt@v1.9.5...v1.9.6

v1.9.5: 1.9.5

Compare Source

Update: ⚠️ sbt 1.9.5 is broken, because it causes Scala compiler to generate wrong class names for anonymous class on lambda. While we investigate please refrain from publishing libraries with it.
scala/bug#12868 (comment)

highlights

• Switches to pre-compiled compiler bridge for Scala 2.13.12+ #​7374 by @​eed3si9n
• Fixes NPE when just -X is passed to scalacOptions zinc#1246 by @​unkarjedy

other updates

• Fixes internal representation of class symbol names zinc#1244 by @​dwijnand
• Fixes NumberFormatException in CrossVersionUtil.binaryScalaVersion lm#426 by @​HelloKunal
• Fixes scripted client/server instability on Windows #​7087 by @​mdedetrich
• Fixes sbt launcher script bug on Windows #​7365 by @​JD557
• Fixes help command on oldshell #​7358 by @​azdrojowa123
• Adds allModuleReports to UpdateReport lm#428 by @​mdedetrich
• Handles javac warning messages zinc#1228 by @​Arthurm1
• Enables inliner for Scala 2.13 compiler bridge zinc#1247 by @​mdedetrich

new contributors

• @​azdrojowa123 made their first contribution in #​7358
• @​JD557 made their first contribution in #​7367

Full Changelog: sbt/sbt@v1.9.4...v1.9.5

v1.9.4: 1.9.4

Compare Source

CVE-2022-46751

CVE-2022-46751 is a security vulnerability discovered in Apache Ivy, but found also in Coursier.

With coordination with Apache Foundation, Adrien Piquerez (@​adpi2) from Scala Center backported the fix to both our Ivy 2.3 fork and Coursier. sbt 1.9.4 updates them to the fixed versions.

Other updates

• Fixes sbt_script lookup by replacing all spaces with %20 (not only the first one) in the path. by @​arturaz in #​7349
• Fixes scala-debug-adapter#543: Maintain order of internal deps by @​adpi2 in #​7347
• Removes conscriptConfigs task, not used and needed(?) anymore by @​mkurz in #​7353
• Adds a Scala 3 seed to the sbt new menu by @​SethTisue in #​7354

new contributors

• @​arturaz made their first contribution in #​7349

Full Changelog: sbt/sbt@v1.9.3...v1.9.4

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Files