Ref https://github.com/sbt/sbt/issues/6912
Problem
-------
There's apparently a security issue with OkHttp 3.x,
which I am not really sure how applicable it is to our usage
of OkHttp but it is there.
Solution
--------
Since most of OkHttp-specic usage within LM is for Apache Ivy
downloading, I am going to drop this.
Since `sbt.librarymanagement.Http.http` is a public API,
I am substituting this with Apache HTTP backed implementation.
Fixes https://github.com/sbt/sbt/issues/6578
Problem
-------
The regex currently expects two segments like2.x or 3.x,
but Scala 3 uses _3 as the cross suffix, and it's not caught.
Solution
--------
Change the regex.
Ref https://eed3si9n.com/enforcing-semver-with-sbt-strict-update
This adds EvictionError, a replacement for EvictionWarning.
The problem with the current eviction warning is that it has too many
false positives. Using the versionScheme information that could be
supplied by the library authors and/or the build users, this eliminates
the guessing work. At which point, we can fail the resolution.
Fixes https://github.com/sbt/sbt/issues/6210
scodec-bits is published with pvp versionScheme (nice), this means that
we should just evaluate the version portion for pvp-ness, but I was
using `guessSecondSegment` that checks for Scala suffix. That's mistake
1.
`guessSecondSegment` assumes that the Scala suffix uses the given
ScalaModuleInfo, but with 2.13-3 sandwich we can't assume this.
In the reported case, Scala module is 3.0.0-M3 but scodec-bits uses
2.13. So that's mistake 2.
This attempts to correct both the mistakes.
1. Instead of `guessSecondSegment`, this adds a simpler `evalPvp`
function.
2. `guessSecondSegment` just looks for `_2.` or `_3` and ignores the
Scala module.
Fixes#274
In #249 parallel download switched to using its own thread pool.
It could potentially lead to unbounded download if nobody throttled.
This works around the issue by fixing the number of thread to 6, which is a common per-host max connection count.
Rather than
[warn] There may be incompatibilities among your library dependencies.
[warn] Run 'evicted' to see detailed eviction warnings
[info] Done updating.
[warn] There may be incompatibilities among your library dependencies.
[warn] Run 'evicted' to see detailed eviction warnings
[info] Done updating.
[warn] There may be incompatibilities among your library dependencies.
[warn] Run 'evicted' to see detailed eviction warnings
[info] Done updating.
[warn] There may be incompatibilities among your library dependencies.
[warn] Run 'evicted' to see detailed eviction warnings
I would get:
[warn] There may be incompatibilities among your library dependencies; run 'evicted' to see detailed eviction warnings
[info] Done updating.
[warn] There may be incompatibilities among your library dependencies; run 'evicted' to see detailed eviction warnings
[info] Done updating.
[warn] There may be incompatibilities among your library dependencies; run 'evicted' to see detailed eviction warnings
[info] Done updating.
[warn] There may be incompatibilities among your library dependencies; run 'evicted' to see detailed eviction warnings
which is a touch better. (IMO!)
Eugene Yokota
xuwei-k
Ubaldo Pescatore
Peter Janssen
Adrien Piquerez
Guillaume Massé
João Ferreira
izharahmd
Maksim Ochenashko
Vincent PERICART
Steve Waldman
Arnout Engelen
0lejk4
bigwheel
Dale Wijnand
Philippus Baalman