Update dependency sbt/sbt to v1.12.13

[renovate]

This PR contains the following updates:

Package	Update	Change
sbt/sbt	minor	1.10.7 → 1.12.13

---

Release Notes

sbt/sbt (sbt/sbt)

v1.12.13: 1.12.13

Compare Source

🐛 bug fixes

• fix: Fixes file permissions by @​eed3si9n + @​xuwei-k in sbt/io#527 / #​9350
• fix: Fixes ArrayIndexOutOfBoundsException error when Unix domain socket is closed by @​merlinorg in sbt/ipcsocket#77

Full Changelog: sbt/sbt@v1.12.12...v1.12.13

v1.12.12: 1.12.12

Compare Source

bug fixes

• fix: Fixes console that references Java module classes on JDK 9+ by @​BrianHotopp in #​9327
• fix: Fixes sbt --version to now show JDK warnings on JDK 25 by @​bitloi in #​8822
• fix: Fixes stdout/stderr not displaying on sbtn by @​BrianHotopp in #​9265
• fix: Ensure resources are copied atomically by @​anatoliykmetyuk in #​9196

behind the scenes

• Update sbtn to 2.0.0-f0d2fae4 by @​eed3si9n in #​9334
• test: Make custom-scala-org scripted test hermetic by @​BrianHotopp in #​9260
• ci: Skip 2.13 modules from graph submission by @​eed3si9n in #​9328

Full Changelog: sbt/sbt@v1.12.11...v1.12.12

v1.12.11: 1.12.11

Compare Source

bug fix

• fix: Rollback eviction error in Test by @​eed3si9n in sbt/librarymanagement#600

Full Changelog: sbt/sbt@v1.12.10...v1.12.11

v1.12.10: 1.12.10

Compare Source

updates

• deps: Update log4j to 2.25.4, which fixes CVE-2026-34477, CVE-2026-34478, CVE-2026-34479, CVE-2026-34480 by @​dancewithheart in #​9086
• deps: Update Gigahorse to 0.9.4, which pulls in httpclient5 5.6.1 by @​eed3si9n in #​9125
• deps: Update sbtn to 2.0.0-RC13 by @​eed3si9n in #​9139
• Backport of eviction error in Test configuration by @​zainab-ali in #​9102

🐛 bug fixes

• fix: Hide JDK warnings if JDK 26 or later by @​xuwei-k in #​9068
• fix: Fixes managedScalaInstance false support by @​eed3si9n in #​9121

behind the scenes

• ci: dependency-submission branch set to 1.12.x by @​dancewithheart in #​9088

new contributors

• @​dancewithheart made their first contribution in #​9086

Full Changelog: sbt/sbt@v1.12.9...v1.12.10

v1.12.9: 1.12.9

Compare Source

Updates

• fix: Prefer local ScalaModuleInfo over global config by @​kitbellew in coursier/sbt-coursier#609

Full Changelog: sbt/sbt@v1.12.8...v1.12.9

v1.12.8: 1.12.8

Compare Source

updates

• fix: Fixes the source dependency checkout directory by @​eed3si9n in #​8974

behind the scenes

• fix: Fixes test format by @​eed3si9n in #​8969

Full Changelog: sbt/sbt@v1.12.7...v1.12.8

v1.12.7: 1.12.7

Compare Source

CVE-2026-32948 Source dependency feature (via crafted VCS URL) leading to arbitrary code execution on Windows

sbt 1.12.7 fixes CVE-2026-32948 (GHSA-x4ff-q6h8-v7gw). Recently @​anatoliykmetyuk at Scala Center discovered a vulnerability in sbt's source dependency feature ProjectRef(...) and RootProject(...). The URL for the version control system allows branch specification via the URL fragment, which is passed to Windows cmd shell. A malicious user can craft an URL that allows arbitrary code execution.

Anatolii also provided a fix from a private fork 1ce945 and 3a474a. We recommend upgrading to sbt 1.12.7, especially if you're on Windows.

updates

• Revert Coursier back to 2.12.24 (#​8902) by @​eed3si9n in #​8918

Full Changelog: sbt/sbt@v1.12.6...v1.12.7

v1.12.6: 1.12.6

Compare Source

updates

• deps: Update lm-coursier to 2.1.12 (Coursier 2.12.25-M24) by @​majk-p in #​8902
• feat: Retry on HTTP 5xx during dependency resolution by @​majk-p in coursier/sbt-coursier#601
• deps: Update log4j to 2.25.3 by @​eed3si9n in #​8872
• deps: Update semanticdbVersion in SemanticdbPlugin.scala by @​xuwei-k in #​8885

Full Changelog: sbt/sbt@v1.12.5...v1.12.6

v1.12.5: 1.12.5

Compare Source

updates

• bport: sbt runner should fail on JDK < 17 for sbt 2.x by @​eureka928 in #​8825
• bport: sbtn prints out the error if server fails to start by @​eureka928 in #​8816

🐛 bug fixes

• bport: Fixes double quotes handling in JVM argfile by @​BrianHotopp in #​8765
• bport: Fixes sbt runner comment handling in .sbtopts and .javaopts files by @​eed3si9n in #​8841
• bport: Fixes sbt runner's sbtn detection by @​fireXtract in #​8810

Full Changelog: sbt/sbt@v1.12.4...v1.12.5

v1.12.4: 1.12.4

Compare Source

• backport: Respect scalaOrganization in compiler bridge resolution by @​tanishiking in #​8799
• backport: Fixes .jvmopts parse error on Windows Git Bash by reverting "Handle JVM parameters with spaces in dot files" by @​eed3si9n in #​8798

Full Changelog: sbt/sbt@v1.12.3...v1.12.4

v1.12.3: 1.12.3

Compare Source

updates

• fix/bport: Restores Scala 2 reflect/compiler unification by @​calm329 in #​8707
• fix/bport: Print warning about scala-reflect not found by @​eed3si9n in #​8733
• fix/bport: Restore runner precedence over .sbtopts by @​it-education-md in #​8695
• fix/bport: Handle JVM parameters with spaces in dot files by @​Eruis2579 in #​8730
• fix/bport: Handle --script-version sbt 2.x project dirs by @​Eruis2579 in #​8715
• fix/bport: Handle --version in sbt 2.x project dirs by @​it-education-md in #​8735
• fix/bport: Require coreutils for RPM by @​eed3si9n in #​8712

Full Changelog: sbt/sbt@v1.12.2...v1.12.3

v1.12.2: 1.12.2

Compare Source

updates

• Bump to sbtn 1.12.1 by @​eed3si9n in #​8684
• Use JProcess for interactive forking, which improves terminal detection by @​eed3si9n in #​8678
• fix: Handle paths with parentheses in sbt.bat on Windows by @​Eruis2579 in #​8682 / #​8656

Full Changelog: sbt/sbt@v1.12.1...v1.12.2

v1.12.1: 1.12.1

Compare Source

bug fixes

• fix: Fixes sbt --client new combination by @​MkDev11 in #​8512
• fix: Fixes sbt new argument parsing on Windows by @​MkDev11 in #​8509
• fix: Fixes sbtopts files priority in sbt runner script by @​mohansinghi in #​8520
• fix: Fixes -X support on Windows batch runner by @​GlobalStar117 in #​8566
• fix: Fixes missing project directory on --addPluginSbtFile command by @​azdrojowa123 in #​8583
• fix: Invalidates update cache across commands when dependencies change by @​calm329 in #​8593
• fix: Fixes scala-reflect not found problem when Scala 3.8.1 is used transitively by @​eed3si9n in #​8633

behind the scenes

• ci: Upgrade launcher-package from sbt 0.13 to 1.x by @​MkDev11 in #​8493

Full Changelog: sbt/sbt@v1.12.0...v1.12.1

v1.12.0: 1.12.0

Compare Source

changes with compatibility implications

• dependencyTree displays internal config, which includes Provided by @​eed3si9n in #​8359
• Scaladoc now requires Compile / doc / compilers scoped to doc task

🚀 updates

• Adds Scala 3.8 REPL support by @​eed3si9n in #​8349
• Show warnings when scalaVersion is missing by @​eed3si9n in #​8432
• deps: Update to Scala 2.12.21 by @​xuwei-k in #​8407
• BSP: Returns build targets sources from buildTarget/dependencySources request by @​azdrojowa123 in #​8415
• Adds JDK_JAVA_OPTIONS support in the sbt runner by @​sideeffffect in #​8413
• Updates semanticdbVersion to 4.14.1 by @​xuwei-k in #​8342

🐛 bug fixes

• fix: Parses *.sbt files with -Xsource:3 by @​eed3si9n in #​8368
• fix: Manually construct the string "org.fusesource.jansi" to support sbt 0.13 on Windows by @​vasilmkd in sbt/launcher#139
• fix: Fixes Javadoc support on JDK 21 by @​adpi2 in sbt/zinc#1622

behind the scenes

• Allows scala3_library to be a JAR-less artifact for Scala 3.8 by @​hamzaremmal in #​8387
• Update Scala 2.13 used for util cross building to 2.13.18 by @​mkurz in #​8395
• deps: Zinc 1.12.0 by @​eed3si9n in #​8434
• ci: Update checkout references to 1.12.x by @​eed3si9n in #​8355
• ci: Bump coursier/cache-action from 6 to 7 by @​dependabot[bot] in #​8353
• ci: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​8384

new contributors

• @​danicheg made their first contribution in #​8346
• @​hamzaremmal made their first contribution in #​8387

Full Changelog: sbt/sbt@v1.11.7...v1.12.0

v1.11.7: 1.11.7

Compare Source

🚀 updates

• Adds --sun-misc-unsafe-memory-access=allow and --enable-native-access=ALL-UNNAMED flags to suppress JDK 25 warnings by @​eed3si9n in #​8304
• Backports JDK 25 JEP-512/JEP-445 Main run by @​eed3si9n in #​8303
• fix: Fixes runMain task for JEP-512/JEP-445 Main by @​xuwei-k in #​8316
• Adds ability to filter UpdateReport by configurations by @​mdedetrich in sbt/librarymanagement#547

🐛 bug fixes

• fix: Fixes sbt 0.13 launching by @​eed3si9n in sbt/launcher#136

🎬 behind the scenes

• ci: Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in #​8273
• deps: Updates sbt-giter8-resolver version by @​xuwei-k in #​8309
• test: Fixes fallback-dependencies-inter-project test by @​xuwei-k in #​8319
• test: Fixes run/daemon-exit test by @​xuwei-k in #​8320
• test: Update test dependencies by @​xuwei-k in #​8317

Full Changelog: sbt/sbt@v1.11.6...v1.11.7

v1.11.6: 1.11.6

Compare Source

🚀 sbt launcher 1.5.0

• Update launcher code base to to Scala 3.7.2 by @​eed3si9n in sbt/launcher#126
• refactor: Adds -Xsource:3 option by @​xuwei-k in sbt/launcher#117
• deps: Removes Apache Ivy dependency from launcher by @​eed3si9n in sbt/launcher#127

🐛 bug fixes

• fix: Fixes internal dependency classpath #​8249 by @​azdrojowa123 in #​8257
• fix: Fixes client-side run on JDK 8 by @​eed3si9n in #​8259

🎬 behind the scene

• ci: FIxes building sbtn locally for Aarch64 / arm64 by @​eed3si9n in #​8258
• ci: Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​8246

Full Changelog: sbt/sbt@v1.11.5...v1.11.6

v1.11.5: 1.11.5

Compare Source

changes with compatibility implications

• sbtn is built using ubuntu-22.04 image, which will require similar Linux version with glibc 2.32 and above.

🚀 features and other updates

• Adds Scala 3.8.0 support. See below
• Adds Scala Nightly repository resolver. See below
• Adds --jvm-client to the sbt runner script to launch JVM client. See below
• Central Repository publishing: Shows validation errors if present by @​unkarjedy in #​8191
• Central Repository publishing: Includes the root subproject name into the deployment by @​jeanmarc in #​8219
• Reduces sbtn outputs by @​eed3si9n in #​8234

Scala Nightly repository

Scala Team now publishes nightlies to a dedicated Artifactory instance. sbt 1.11.5 adds a new resolver for this:

resolvers += Resolver.scalaNightlyRepository

ThisBuild / scalaVersion := "3.8.0-RC1-bin-20250823-712d5bc-NIGHTLY"
Compile / scalacOptions += "-language:experimental.captureChecking"

This was contributed by @​hamzaremmal in sbt/librarymanagement#532

Scala 3.8.0 support

Scala 3.8.0 will in-source the Scala standard library (scala-library) instead of using one from Scala 2.13. sbt 1.11.5 relaxes the Coursier same-version enforcement to support Scala 3.8.0.

This was pair programmed by @​hamzaremmal + @​eed3si9n during Scala Days 2025 as #​8226

sbt --jvm-client

sbt 1.11.5 runner script adds new --jvm-client flag to launch the JVM version of the thin client. The implementation is the Scala code which sbtn is based on. This will be useful on platforms or CPU architectures that we do not build sbtn.

This was contributed by @​eed3si9n in #​8232

🎬 behind the scene

• ci: Uses sbt 1.11.4 by @​eed3si9n in #​8192
• ci: Adds clean.yml by @​eed3si9n in #​8227
• ci: Bump actions/setup-java from 4 to 5 by @​dependabot[bot] in #​8229
• ci: Split server-test by @​eed3si9n in #​8233
• deps: Bump to lm 1.11.5 by @​eed3si9n in #​8231

new contributors

• @​jeanmarc made their first contribution in #​8219
• @​hamzaremmal made their first contribution in #​8226

Full Changelog: sbt/sbt@v1.11.4...v1.11.5

v1.11.4: 1.11.4

Compare Source

Updates

• fix: Fixes sbt plugin cross building by @​eed3si9n in sbt/librarymanagement#528
• fix: Fixes sonaUploadRequestTimeout by scoping globally by @​eed3si9n in #​8190

Full Changelog: sbt/sbt@v1.11.3...v1.11.4

v1.11.3: 1.11.3

Compare Source

updates

• Adds sonaUploadRequestTimeout setting to configure the upload timeout when publishing to the Central Repo by @​guizmaii in #​8171
• fix: Adds support for pluginCrossBuild/sbtBinaryVersion "1.3", which is used by IntelliJ Scala plugin (fixes #​8166) by @​unkarjedy in #​8167
• fix: Fixes the import order to satisfy SemanticDB by @​inglor in #​8162

new contributors

• @​inglor made their first contribution in #​8162
• @​guizmaii made their first contribution in #​8171

Full Changelog: sbt/sbt@v1.11.2...v1.11.3

v1.11.2: 1.11.2

Compare Source

updates

• fix: Fixes intermittent NullPointerError in update task by reverting the use of WeakReferences by @​mrdziuban in coursier/sbt-coursier#564
• Adds Resolver.sonatypeCentralSnapshots, Resolver.sonatypeCentralRepo(...) and deprecates Resolver.sonatypeOssRepos(...), Opts.resolver.sonatypeOssReleases , Opts.resolver.sonatypeOssSnapshots, etc by @​eed3si9n in sbt/librarymanagement#517 / #​8156

Full Changelog: sbt/sbt@v1.11.1...v1.11.2

v1.11.1: 1.11.1

Compare Source

updates

• fix: Fixes memory leak in update task by @​mrdziuban in coursier/sbt-coursier#563
• fix: Default sbtPluginPublishLegacyMavenStyle to false by @​eed3si9n in #​8148
• fix: Adds sonaDeploymentName to excludeLintKeys by @​rtyley in #​8143

behind the scene

• ci: Use Central Portal for publishing by @​eed3si9n in #​8147

Full Changelog: sbt/sbt@v1.11.0...v1.11.1

v1.11.0: 1.11.0

Compare Source

Central Repository publishing

The Central Repository (aka Maven Central) has long been the pillar of the JVM ecosystem including Scala. The mechanism to publish libraries to the Central has been hosted by Sonatype as OSS Repository Hosting (OSSRH) via HTTP PUT, but in March it was announced that the endpoint will be sunset in June 2025 in favor of the Central Portal at https://central.sonatype.com/.

sbt 1.11.0 implements a built-in support to publish to Central Repository via the Central Portal. To publish to the Central Portal, first set ThisBuild / publishTo setting to the localStaging repository:

ThisBuild / publishTo := {
  val centralSnapshots = "https://central.sonatype.com/repository/maven-snapshots/"
  if (isSnapshot.value) Some("central-snapshots" at centralSnapshots)
  else localStaging.value
}

Add credentials to the host central.sonatype.com using the generated user token user name and password. sbt 1.11.0 will read from the environment variables SONATYPE_USERNAME and SONATYPE_PASSWORD and append a credential for central.sonatype.com out-of-box, which might be useful for automatic publishing from the CI environment, such as GitHub Actions.

- run: sbt ci-release
  env:
    PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
    PGP_SECRET: ${{ secrets.PGP_SECRET }}
    SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
    SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}

When you're ready to publish, call publishSigned task (available via sbt-pgp). At this point, the JARs and POM files will be staged to your local target/sona-staging directory.

Next, call sonaUpload to upload to the Central Portal and manually release the bundle, or call sonaRelease to upload and automatically release to the Central Repository.

This was contributed by @​eed3si9n in #​8126. The feature was inspired by sbt-sonatype workflow pioneered by Taro Saito, and sonatype-central-client spearheaded by David Doyle at Lumidion.

Other updates

• fix: Avoid printing "copying runtime jar" etc to stdout by @​eed3si9n in #​8081
• fix: Fix incremental test (testQuick) with companion objects by @​eed3si9n in #​8087

Full Changelog: sbt/sbt@v1.10.11...v1.11.0

v1.10.11: 1.10.11

Compare Source

updates

• Updates Coursier from 2.1.22 → 2.1.23 by @​eed3si9n in #​8069

🐛 bug fixes

• fix: Fixes compile task retrying itself on compiler crashes by @​eed3si9n in #​8070
• fix: sbt --client shutdown shortcuts if the server is not already running by @​eed3si9n in #​8057
• fix: Fixes sbt --client on Windows by @​eed3si9n in #​8071
• fix: Avoids creating target on sbt --version by @​eed3si9n in #​8066
• fix: Fixes slash syntax keys in Scala 2.13 evolution message by @​eed3si9n in #​8067

Full Changelog: sbt/sbt@v1.10.10...v1.10.11

v1.10.10: 1.10.10

Compare Source

🐛 bug fixes

• fix: Fixes compilation error causing the compilation to retry ten times by @​eed3si9n in #​8054

Full Changelog: sbt/sbt@v1.10.9...v1.10.10

v1.10.9: 1.10.9

Compare Source

🚀 features and other updates

• Adds allowUnsafeScalaLibUpgrade setting to opt-out of the Scala 2.13 compatibility check (SIP-51) by @​lrytz in #​8012
• BSP: Implement jvmBuildTarget for workspace/buildTargets by @​Friendseeker in #​7913
• Detects user-specific JDK installations on macOS by @​unkarjedy in #​8032
• Makes timing outputs consistently show hours and hint at time format by @​jsoref in #​8019
• Backports SHA-256, SHA-384, and SHA-512 checksum support to forked Apache Ivy by @​mkurz in sbt/ivy#49
• Client-side run capability in sbtn by @​eed3si9n in #​8040

🐛 bug fixes

• fix: Fixes local source dependency invalidation by @​rochala in sbt/zinc#1528
• fix: Clear Zinc Analysis Cache during Compile / clean, Test / clean by @​Friendseeker in #​7969
• fix: Fixes spurious upstream compilation when calling previousCompile by @​Friendseeker in #​7983
• fix: Fixes race condition in NetworkChannel by @​dwickern in #​8005
• fix: Fixes Chrome tracing file by @​eed3si9n in #​8020
• fix: Fixes incorrect sbt architecture logging in the runner script by @​mehdignu in #​8038
• fix: Fixes stdout freshness issue by @​eed3si9n in #​8048
• fix: sbt init by @​eed3si9n in #​8049

🎬 behind the scene

• refactor: Refactor response handler by @​eed3si9n in #​8035

new contributors

• @​mehdignu made their first contribution in #​8038

Full Changelog: sbt/sbt@v1.10.7...v1.10.9

v1.10.8: 1.10.8

Compare Source

sbt 1.10.8 is dead on arrival, please use 1.10.9 when it comes out.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.