search term:

sbt 1.8.3

Hi everyone. On behalf of the sbt project, I’m happy to announce sbt 1.8.3 patch release fixing a security vulnerability. Full release note is here - https://github.com/sbt/sbt/releases/tag/v1.8.3

See 1.8.0 release note for the details on 1.8.x features.

Highlights

IO.withTemporaryFile fix

sbt 1.8.3 fixes sbt.io.IO.withTemporaryFile etc not limiting access on Unix-like systems. Prior to this patch release, some functions were using java.io.File.createTempFile, which does not set strict file permissions, as opposed to the NIO-equivalent that does.

This means that on a shared Unix-like systems, build user or plugin’s use of sbt.io.IO.withTemporaryFile etc would have exposed the information to other users.

This issue was reported by Oleksandr Zolotko at IBM, and was fixed by Eugene Yokota (@eed3si9n) in io#344/zinc#1185.

How to upgrade

Download the official sbt runner + launcher from cs setup, SDKMAN, or download from https://github.com/sbt/sbt/releases/.

In addition, the sbt version used for your build is upgraded by putting the following in project/build.properties:

sbt.version=1.8.3

This mechanism allows that sbt 1.8.3 is used only for the builds that you want.

Other updates

sbt 1.8.3 backports Zinc and IO fixes from 1.9.0-RC2 as well.

Participation

Thanks to everyone who’s helped improve sbt and Zinc 1 by using them, reporting bugs, improving our documentation, porting builds, porting plugins, and submitting and reviewing pull requests.

For anyone interested in helping sbt, there are many avenues for you to help, depending on your interest. If you’re interested, Contributing, “help wanted”, “good first issue” are good starting points. If you have ideas let us know on sbt Discussions.

Support to Scala Center

Scala Center is a non-profit center at EPFL to support education and open source.