∃ugene -Yokota 🥙

🔐 released sbt 1.12.7, featuring a security fix for CVE-2026-32948, Source dependency feature (via crafted VCS URL) leading to arbitrary code execution on Windows

this was discovered and fixed by Anatolii "Toli" Kmetiuk at Scala Center, who is also a new sbt committer
https://eed3si9n.com/sbt-1.12.7 #Scala

Mar 24 at 1:09amElk (canary)
Show thread∃ugene -Yokota 🥙19h ago
released sbt 1.12.8, featuring a fix to the source dependency fix
https://eed3si9n.com/sbt-1.12.8 #Scala