Skip to content

Releases: sbt/zinc

1.10.5

30 Nov 04:01
v1.10.5
dfd4b58
Compare
Choose a tag to compare

updates

behind the scene

Full Changelog: v1.10.4...v1.10.5

1.10.4

28 Oct 08:12
v1.10.4
8d88f99
Compare
Choose a tag to compare

behind the scene

Full Changelog: v1.10.3...v1.10.4

1.10.3

19 Oct 16:02
v1.10.3
f136f98
Compare
Choose a tag to compare

Protobuf with potential Denial of Service (CVE-2024-7254)

Zinc 1.10.3 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error. Given the nature of how Protobuf is used in Zinc as internal serialization, we think the impact of this issue is minimum. However, security software might still flag this to be an issue while using sbt or Zinc, so upgrade is advised. This issue was originally reported by @gabrieljones and was fixed by @Friendseeker in #1443.

@adpi2 at Scala Center has also configured dependency graph submission to get security alerts in #1448.

Reverting the invalidation of circular-dependent sources

Zinc 1.10.3 reverts the initial invalidation of circular-dependent pairs.

There's been a series of incremental compiler bugs such as "Invalid superClass" and "value b is not a member of A" that would go away after clean. The root cause of these bugs were identified by @smarter (#598 (comment)) and @Friendseeker to be partial compilation of circular-dependent sources where two sources A.scala and B.scala use some constructs from each other.

Zinc 1.10.0 fixed this issue via #1284 by invalidating the circular-dependent pairs together. In other words, if A.scala was changed, it would immediately invalidate B.scala. It turns out, that people have been writing circular-dependent code, and this has resulted in multiple reports of Zinc's over-compilation (#1420, #1461). Given that the invalidation seems to affect the users more frequently than the original bug, we're going to revert the fix for now. We might bring this back with an opt-out flag later on. The revert was contributed by by @lihaoyi in #1462.

Improvement: ParallelGzipOutputStream

Zinc 1.10.0 via #1326 added a new consistent (repeatable) formats for Analysis storage. As a minor optimization, the pull request also included an implementation of ParallelGzipOutputStream, which would reduce the generate file size by 20%, but with little time penalty. Unfortunately, however, we have observed in CI that that the scala.concurrent.Future-based implementation gets stuck in a deadlock. @Ichoran and @Friendseeker have contributed an alternative implementation that uses Java threads directly, which fixes the issue in #1466.

Other updates

Behind the scene

New contributors

Full Changelog: v1.10.2...v1.10.3

1.10.2

15 Sep 20:17
v1.10.2
5a7012f
Compare
Choose a tag to compare

fixes and updates

  • Fixes mixed compilation to JAR by @adpi2 in #1377
  • Fixes over-compilation when using a class directory as a library by @adpi2 in #1382
  • Perf: Copy bytes directly instead of using scala.reflect.io.Streamable by @rochala in #1395
  • Avoids using ZipError for future JDK compatibility by @eed3si9n in #1393

behind the scenes

new contributors

Full Changelog: v1.10.1...v1.10.2

1.10.1

07 Jul 22:29
v1.10.1
15b317b
Compare
Choose a tag to compare

updates

behind the scenes

Full Changelog: v1.10.0...v1.10.1

1.10.0

05 May 23:40
v1.10.0
16ebac4
Compare
Choose a tag to compare

what's changed

behind the scenes

new contributors

Full Changelog: v1.9.6...v1.10.0

1.10.0-RC2

15 Apr 01:36
v1.10.0-RC2
Compare
Choose a tag to compare
1.10.0-RC2 Pre-release
Pre-release

updates

Full Changelog: v1.10.0-RC1...v1.10.0-RC2

1.10.0-RC1

08 Apr 09:18
v1.10.0-RC1
a700e3b
Compare
Choose a tag to compare
1.10.0-RC1 Pre-release
Pre-release

what's changed

behind the scenes

new contributors

Full Changelog: v1.10.0-M3...v1.10.0-RC1

1.10.0-M3

24 Feb 05:34
v1.10.0-M3
4fd4675
Compare
Choose a tag to compare
1.10.0-M3 Pre-release
Pre-release

What's changed

Behind the scenes

Full Changelog: v1.10.0-M2...v1.10.0-M3

1.9.6

06 Jan 10:08
v1.9.6
Compare
Choose a tag to compare

Zinc 1.9.6 patches IO to 1.9.8.

Full Changelog: v1.9.5...v1.9.6