🚀 features and other updates

• Adds allowUnsafeScalaLibUpgrade setting to opt-out of the Scala 2.13 compatibility check (SIP-51) by @lrytz in #8012
• BSP: Implement jvmBuildTarget for workspace/buildTargets by @Friendseeker in #7913
• Detects user-specific JDK installations on macOS by @unkarjedy in #8032
• Makes timing outputs consistently show hours and hint at time format by @jsoref in #8019
• Backports SHA-256, SHA-384, and SHA-512 checksum support to forked Apache Ivy by @mkurz in sbt/ivy#49
• Client-side run capability in sbtn by @eed3si9n in #8040

🐛 bug fixes

• fix: Fixes local source dependency invalidation by @rochala in sbt/zinc#1528
• fix: Clear Zinc Analysis Cache during Compile / clean, Test / clean by @Friendseeker in #7969
• fix: Fixes spurious upstream compilation when calling previousCompile by @Friendseeker in #7983
• fix: Fixes race condition in NetworkChannel by @dwickern in #8005
• fix: Fixes Chrome tracing file by @eed3si9n in #8020
• fix: Fixes incorrect sbt architecture logging in the runner script by @mehdignu in #8038
• fix: Fixes stdout freshness issue by @eed3si9n in #8048
• fix: sbt init by @eed3si9n in #8049

🎬 behind the scene

• refactor: Refactor response handler by @eed3si9n in #8035

new contributors

• @mehdignu made their first contribution in #8038

Full Changelog: v1.10.7...v1.10.9

sbt 1.10.8 is dead on arrival, please use 1.10.9 when it comes out.

🚀 features and other updates

• Enable runner script's build detection by default to require --allow-empty by @eed3si9n in #7966
• Support glob expressions in scripted to aid sbt 2.0.0-M3 cross building by @eed3si9n in #7933 / #7968
• perf: Precompile a regex in hot code by @retronym in sbt/zinc#1508

Build directory detection

Starting 1.10.7, the sbt runner script enables build directory detection by default. This means that the sbt will exit with error when launched in a directory without build.sbt or project/, with exceptions of sbt new, sbt --script-version etc.

To override this behavior temporarily, you can use --allow-empty flag. To permanently opt out of the build directory detection, create $XDG_CONFIG_HOME/sbt/sbtopts with --allow-empty in it.

csrMavenDependencyOverride setting

sbt 1.10.7 updates Coursier from 2.1.19 → 2.1.22. sbt 1.10.7 also adds a new setting csrMavenDependencyOverride (default: false), which controls the resolution, which respects Maven dependency override mechanism, also known as bill-of-materials (BOM) POM. Since there is a performance regression in the new resolver, we are setting the default to false.

🐛 bug fixes

• fix: Add csrMavenDependencyOverride to opt into bill-of-material (BOM) respecting Coursier resolution by @eed3si9n in #7970
• fix: Update the template resolver to use Giter8 0.17.0, which fixes the SLF4J warning by @eed3si9n in #7947
• fix: Update JLine 2 fork to 9a88bc4 and Jansi to 2.4.1, which fixes crash on Windows on ARM by @Friendseeker in #7952

🎬 behind the scene

• ci: New Scala CLA URL by @eed3si9n in #7929
• ci: Use new Scala CLA GitHub Action by @Friendseeker in #7953
• ci: Prepare for sbt 1.10.7 by @Friendseeker in #7957
• ci: Restore disabled Multirepo integration test by @Friendseeker in #7962

Full Changelog: v1.10.6...v1.10.7

⚠️ changes with compatibility implications

• Change homepage, organizationHomepage, apiURL, apiMappings, releaseNotesURL to URI type by @eed3si9n in #7927
• Replace tuple with proper record type for licenses by @mdedetrich in #7927
• Update sbtResolvers default value by @xuwei-k in #7799
• Remove useJCenter settingKey by @xuwei-k in #7801

🚀 features and other updates

• Support glob expressions in scripted by @eed3si9n in #7932
• Update to metabuild Scala to 3.6.2 by @eed3si9n in #7941
• Add Mapper that returns VirtualFile based mappings by @jtjeferreira + @eed3si9n in #7949
• Replace the use of compilation timestamp in detectAPIChanges with content hashes by @Friendseeker in sbt/zinc#1430
• perf: Reduce number of long-living instances to speed up startup by 20% relative to 2.0.0-M2 (41% speedup compared to sbt 1.10.2) by @adpi2 in #7866
• perf: Reduce creation of Setting and Initialize by @adpi2 in #7880
• perf: Refactor Settings and optimize indexing of aggregate keys by @adpi2 in #7879
• perf: Remove instances of Info and BasicAttributeMap by @adpi2 in #7882

🐛 bug fixes

• fix: Fixes doc task by using ScalaInstance from update by @eed3si9n in #7878
• fix: Resurrect or for tasks by @eed3si9n in #7749
• fix: Fixes concurrency issue in ParallelGzipOutputStream by reimplementing it using raw threads by @Ichoran + @Friendseeker in sbt/zinc#1456
• fix: Fix csrCacheDirectory and add test by @adpi2 in #7762
• fix: Fix type error if too many .value by @xuwei-k in #7773
• fix: Fix Scala 3.x - 2.12 sandwich for matrix by @eed3si9n in #7907
• fix: Remove -Wconf:cat=unused-nowarn:s from the metabuild, which was showing warning by @eed3si9n in #7924
• fix: Fix root project detection by @eed3si9n in #7925
• fix: concurrency control around build.sbt parsing by @eed3si9n in #7938
• fix: Use JDK path, not JRE path by @eed3si9n in #7948

🎬 behind the scene

• deps: Update JLine3 to 3.27.0 by @Friendseeker in #7756
• dep: Update io to 1.10.1 by @Friendseeker in #7800
• dep: Update Scala 3 to 3.3.4 by @Friendseeker in #7796
• dep: Update Scala 2.13 to 2.13.15 by @Friendseeker in #7804
• dep: Update launcher and ipcsocket versions by @Friendseeker in #7808
• dep: Zinc 2.0.0-M3 by @eed3si9n in #7954
• refactor: Update to Scala 3 syntax ? wildcard and * vararg by @eed3si9n in #7837
• refactor: Use extension instead of implicit class by @xuwei-k in #7809
• refactor: Migrate private[this] to private by @xuwei-k in #7812
• refactor: Delete sbt.internal.CompatParColls by @xuwei-k in #7815
• refactor: Use to{Int, Long, Double}Option methods by @xuwei-k in #7818
• refactor: Use extension in OptionSyntax by @xuwei-k in #7821
• refactor: Use extension instead of implicit by @xuwei-k in #7832, #7888, #7891
• refactor: Delete internal deprecated methods since 0.x by @xuwei-k in #7864
• refactor: Update ClassLoaderWarmup and remove unused warmup by @xuwei-k in #7874
• refactor: Remove enableConsistentCompileAnalysis, enableBinaryCompileAnalysis settings by @Friendseeker in #7887
• refactor: Use given instead of implicit val by @xuwei-k in #7890
• refactor: Remove implicit params. Change to using by @xuwei-k in #7889, #7892
• refactor: Use given instead of implicit object by @xuwei-k in #7893
• refactor: Refactor slash syntax to mostly use methods by @eed3si9n in #7911
• test: Reenable SlashSyntaxTest and TaskPosSpec tests by @jtjeferreira in #7744
• test: Update scalatest and scalacheck by @xuwei-k in #7816
• test: Resurrect property-based testing for slash syntax by @eed3si9n in #7875
• test: Fix flaky lm-coursier tests by @adpi2 in #7757
• ci: Submit dependency graph for security alert by @Friendseeker in #7750
• ci: In-source librarymanagement and lm-coursier modules into sbt/sbt by @adpi2 in #7739
• ci: Exclude Scala libraries from lm-coursier-shaded by @adpi2 in #7755
• ci: Upgrade and reenable sbt-contraband plugin by @adpi2 in #7752
• ci: Remove Scala 2 cross build for util modules by @Friendseeker in #7759
• ci: Skip publishing local Zinc to speed up CI by @adpi2 in #7763
• ci: Set default CI timeout by @nathanlao in #7769
• ci: Update Contraband-generated sources. Add check Contraband sources consistency job by @xuwei-k in #7778
• ci: Update to Contraband 0.7.0 by @eed3si9n in #7836
• ci: Add @codecPackage annotation to state.contra by @xuwei-k in #7780
• ci: Update CI to test on JDK 21 by @Friendseeker in #7783
• ci: Update Scalafmt by @xuwei-k in #7810
• ci: Cleanup dependency settings by @xuwei-k in #7814
• ci: Migrate deprecated colon syntax in build.sbt by @xuwei-k in #7817
• ci: Remove unused dependencies in project/Dependencies.scala by @xuwei-k in #7923
• ci: New Scala CLA URL by @eed3si9n in #7928
• ci: Add lmCoursierShadedPublishing to allProjects by @jtjeferreira in #7930
• ci: Merge 1.10.x by @eed3si9n in #7950

Full Changelog: v2.0.0-M2...v2.0.0-M3

change with compatibility implication

• deps: lm-coursier 2.1.6, which updates Coursier 2.1.14 → 2.1.19 by @eed3si9n in #7920

  This release changes the way "BOMs" or "dependency management" are handled during resolution, and allows users to add BOMs to a resolution. This changes the way versions are picked when BOMs or dependency management are involved, which has an impact on the resolution of libraries from many JVM ecosystems, such as Apache Spark, Springboot, Quarkus, etc.

bug fixes and updates

• fix: Fixes Ctrl-C not stopping run task due to bgRun delegation by @Friendseeker in #7916
• fix: Fixes sbt --client support on openSUSE by @Androz2091 in #7895
• fix: Synchronizes dependencyTree console output by @Friendseeker in #7906
• fix: Synchronizes java.awt.Desktop.browse() during dependencyBrowseTree by @Friendseeker in #7905
• perf: Better memory efficiency for Zinc Analysis by @dwijnand in sbt/zinc#1494
• fix: Passes useConsistent to staticCachedStore by @Friendseeker in #7869
• Make reproducibility toggleable for ConsistentAnalysisFormat by @Friendseeker in sbt/zinc#1479
• clean clears previousCompile by @Friendseeker in sbt/zinc#1487 / #7922

behind the scene

• deps: Updates to Zinc 1.10.5 by @eed3si9n in #7922
• deps: Updates to IO 1.10.2 by @eed3si9n in #7921
• deps: Removes direct dependency on org.fusesource.jansi by @Friendseeker in #7876
• ci: Prepare for sbt 1.10.6 by @Friendseeker in #7871
• Add double quote around thread name during trace by @Friendseeker in #7886
• ci: Bump minimum Java version in launcher script to 8 by @Friendseeker in #7897
• test: Fix Flaky Test: sbt.TagsTest by @Friendseeker in #7919
• refactor: Improve message format for loading settings for project by @Friendseeker in #7909
• refactor: Respects dependencyBrowseGraphTarget, dependencyBrowseTreeTarget by @Friendseeker in #7904

new contributors

• @Androz2091 made their first contribution in #7895

Full Changelog: v1.10.5...v1.10.6

updates

• deps: Updates to Coursier 2.1.14 via lm-coursier 2.1.5 by @eed3si9n in #7859
• fix: Reverts sbtn to build with glibc by @Friendseeker and @eed3si9n
• fix: Fixes sbtn to return exit code 1 when on error by @Friendseeker in #7854
• fix: Fixes ++ with a command argument with slash by @eed3si9n in #7862
• fix: Replaces Narrow No-Break Space (NNBS) in date strings with a whitespace to prevent mojibakeh by @Friendseeker in #7846

behind the scene

• refactor: Migrate all usages of System.console == null by @Friendseeker in #7843
• ci: Prepare for sbt 1.10.5 by @Friendseeker in #7840

Full Changelog: v1.10.4...v1.10.5

updates and bug fixes

• fix: Fixes Jansi deprecation notice by switching to jline-terminal-jni by @Friendseeker in #7811
• fix: Fixes GLIBC_2.32 issue on sbtn by statically linking musl by @Friendseeker in #7823
• fix: Throw exception when sbt new fails to find template by @Friendseeker in #7835
• fix: Fixes ~ with Global / onChangedBuildSource := ReloadOnSourceChanges by @Friendseeker in #7838
• fix: Fixes "Unrecognized option: --server" error on BSP server by @eed3si9n in #7824
• fix: Fixes pipelined build while changing version frequently by @Friendseeker in #7830
• fix: Change the default analysis format to older binary, and make Consistent Analysis opt-in by @Friendseeker in #7807

behind the scene

• ci: Bump supported JDK version to 21 in DEVELOPING.md by @Friendseeker in #7784
• ci: Bump sbt to 1.10.3 by @Friendseeker in #7802
• ci: Bump TEST_SBT_VER to 1.10.3 & remove unused CI variables by @Friendseeker in #7825
• ci: Delete .java-version to not fix java version to 1.8 by @Friendseeker in #7827
• deps: Bump Scala 2.13 to 2.13.15 by @Friendseeker in #7798
• deps: Bump JLine to 3.27.1 by @Friendseeker in #7829
• deps: Zinc 1.10.4 by @eed3si9n in #7839
• refactor: Remove two unused methods that depends on Analysis Timestamp by @Friendseeker in #7787
• refactor: Deprecate useJCenter key by @Philippus in #7822

Full Changelog: v1.10.3...v1.10.4

Protobuf with potential Denial of Service (CVE-2024-7254)

sbt 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @gabrieljones and was fixed by Jerry Tan (@Friendseeker) in zinc#1443.

@adpi2 at Scala Center has also configured dependency graph submission to get security alerts in zinc#1448. sbt/sbt was configured by @Friendseeker in #7746.

Reverting the invalidation of circular-dependent sources

sbt 1.10.3 reverts the initial invalidation of circular-dependent Scala source pairs.

There had been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @smarter (sbt/zinc#598 (comment)) and @Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

sbt 1.10.0 fixed this issue via sbt/zinc#1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (zinc#1420, zinc#1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by Li Haoyi (@lihaoyi) in sbt/zinc#1462.

Improvement: ParallelGzipOutputStream

sbt 1.10.0 via sbt/zinc#1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @Ichoran and @Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in sbt/zinc#1466.

bug fixes and updates

• deps: Updates metabuild Scala version to 2.12.20 by @SethTisue in #7636
• fix: Fixes "illegal reflective access operation" error on JDK 11 by updating JLine to 3.27.0 by @Friendseeker in #7695
• fix: Fixes transitive invalidation interfering with cycle stopping condition by @Friendseeker in zinc#1397
• fix: Fixes dependency resolution of sbt plugins by excluding custom extra attributes from POM dependencies by @adpi2 in lm#451
• fix: Fixes directory permission issue under a multi-user environment by @eed3si9n in ipcsocket#43
• deps: Updates sbt init template deps by @xuwei-k in #7730
• Updates sbt runner to default to sbtn for sbt 2.x by @eed3si9n in #7775

behind the scene

• ci: Bump CI to JDK 21 by @Friendseeker in #7760
• refactor: Remove deprecated System.runFinalization by @Friendseeker in #7732
• refactor: Remove deprecated Thread.getId by @Friendseeker in #7733
• refactor: Regenerate Contraband files by @Friendseeker in #7764
• deps: Bump IO, ipc-socket, and launcher by @eed3si9n in #7776
• deps: Zinc 1.10.3 by @eed3si9n in #7781
• deps: lm 1.10.2 by @eed3si9n in #7782
• ci: Set a default timeout for ci by @nathanlao in #7766
• ci: Removes vscode-sbt-scala from build.sbt by @Friendseeker in #7728
• ci: Adds dependabot setting for develop branch by @xuwei-k in #7701

Full Changelog: v1.10.2...v1.10.3

Changes with compatibility implications

• Uses _sbt2_3 suffix for sbt 2.x by @eed3si9n in #7671

Updates and bug fixes

• Fixes the attribute key name from serverIdleTimeOut to serverIdleTimeout to match the variable name by @lervag in #7651
• Fixes incremental Scala-Java mixed compilation that produces JAR directly by @adpi2 in sbt/zinc#1377
• Fixes over-compilation when using a class directory as a library by @adpi2 in sbt/zinc#1382
• Perf: Copy bytes directly instead of using scala.reflect.io.Streamable by @rochala in sbt/zinc#1395
• Includes all sources and resources in source jar by @jroper in #7630
• Fixes the handling of Optional inter-project dependency in BSP by @adpi2 in #7568
• Trims spaces around k and v to tolerate extra whitespace in build.properties by @invadergir in #7585
• Fixes legacy repositories like scala-tools-releases in repositories file blocking sbt from launching by @eed3si9n in sbt/launcher#104
• Fixes stale BSP diagnostics by @SlowBrainDude in #7610
• Fixes scripted support for sbt 2.x by @eed3si9n in #7672
• Avoids using ThreadDeath for future JDK compatibility by @xuwei-k in #7652
• Avoids using ZipError for future JDK compatibility by @eed3si9n in sbt/zinc#1393

Behind the scenes

• Update to Zinc 1.10.2 by @eed3si9n in #7674
• Update to lm 1.10.1 by @eed3si9n in #7597
• Update to Launcher 1.4.3 by @eed3si9n in #7598
• Update to the common Scala 2.12 version for the sbtn subproject by @SlowBrainDude in #7605
• Note in dev docs on supported build time JDK version dependency by @SlowBrainDude in #7606
• CI: Zinc default branch is 1.10.x by @adpi2 in #7654
• Upgrade sbt plugins to avoid deprecated repo.scala-sbt.org by @mkurz in #7555
• Update Scala 3 doc test by @eed3si9n in #7619
• Bump scalacenter/sbt-dependency-submission from 2 to 3 by @dependabot in #7565
• Fixes dependency-management/force-update-period test (backport of #7538) by @adpi2 in #7567
• Fixes BuildServerTest by @adpi2 in #7638

New contributors

• @invadergir made their first contribution in #7585
• @rochala made their first contribution in sbt/zinc#1395
• @SlowBrainDude made their first contribution in #7606
• @lervag made their first contribution in #7651

Full Changelog: v1.10.0...v1.10.2

bug fixes and updates

• Fixes column/position information missing from the javac error messages in IntelliJ by @vasilmkd in sbt/zinc#1373
• Fixes backslash handling in expandMavenSettings by @desbo in sbt/librarymanagement#444
• Fixes JSON serialization of Map and LList in sjson-new 0.10.1 by @steinybot + @eed3si9n in eed3si9n/sjson-new#142
• Fixes the hash code for empty files in the classpath cache by @szeiger in sbt/zinc#1366
• Fixes forceUpdatePeriod by @adpi2 in #7567
• Fixes BSP handling of Optional inter-project dependencies by @adpi2 in #7568
• Ignores jcenter and scala-tools-releases entries in the ~/.sbt/repositories file by @eed3si9n in sbt/launcher#104

behind the scenes

• Updates sbt plugins to avoid deprecated repo.scala-sbt.org by @mkurz in #7555
• Updates scalacenter/sbt-dependency-submission from 2 to 3 by @dependabot in #7565

Full Changelog: v1.10.0...v1.10.1