Skip to content

Git source dependency (ProjectRef) broken in sbt 1.12.7 #8973

Closed
Closed
Git source dependency (ProjectRef) broken in sbt 1.12.7#8973
Labels
Bug
Milestone
1.12.8
@MisaKondo

Description

@MisaKondo
MisaKondo
opened on Mar 24, 2026

steps

  1. Create a project that uses a git source dependency via ProjectRef:
// build.sbt
scalaVersion := "3.6.2"

lazy val dep = ProjectRef(uri("ssh://[email protected]/some-org/some-repo.git#v1.0.0"), "root")

lazy val root = (project in file(".")).dependsOn(dep)
// project/build.properties
sbt.version=1.12.7
  1. Run sbt update

Any git-based ProjectRef with a tag or branch fragment (#v1.0.0) will trigger this issue.

problem

git clone succeeds, but the subsequent git checkout -q <tag> fails because it runs outside the cloned directory.

Actual error output from our CI (repository name redacted):

Cloning into '/home/sbtuser/.sbt/1.0/staging/750dccf980aff67ca3ab/<redacted>'...
fatal: not a git repository (or any of the parent directories): .git
java.lang.RuntimeException: Nonzero exit code (128): git checkout -q <tag>
	at scala.sys.package$.error(package.scala:30)
	at sbt.Resolvers$.run(Resolvers.scala:154)
	at sbt.Resolvers$.run(Resolvers.scala:141)
	at sbt.Resolvers$.$anonfun$git$3(Resolvers.scala:96)
	at sbt.Resolvers$.creates(Resolvers.scala:160)
	at sbt.Resolvers$.$anonfun$git$2(Resolvers.scala:94)
  • sbt 1.12.6: passes (same codebase, same CI environment)
  • sbt 1.12.7: fails (reproducible on every run, including re-runs)

The only change between the passing and failing builds is sbt.version in project/build.properties.

expectation

git checkout should run inside the cloned repository directory, and sbt update should succeed as it did in 1.12.6.

notes

The regression was introduced in commit 1ce945b (CVE-2026-32948 fix).

In the refactoring of Resolvers.scala, the 2-argument run method discards its cwd parameter:

// v1.12.7 - line 141
def run(cwd: Option[File], command: String*): Unit =
  run(None, None, command: _*)  // Bug: should be run(cwd, None, command: _*)

The first None should be cwd. This causes git checkout (and hg checkout) to execute in the JVM's working directory instead of the cloned repository, resulting in fatal: not a git repository.

The fix is a one-line change:

- run(None, None, command: _*)
+ run(cwd, None, command: _*)

https://github.com/sbt/sbt/blob/v1.12.7/main/src/main/scala/sbt/Resolvers.scala#L140-L141

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions