sbt 1.12.14 and 2.0.3
The headline features of sbt 1.12.14 and 2.0.3 are:
- Backport of CVE-2026-26032 fix for Ivy (while sbt might not be affected)
- Update to Jawn 1.7.0 for CVE-2026-59990 and CVE-2026-61814 fixes
See also sbt 2.0 change summary for the details.
Hi everyone. On behalf of the sbt project, I am happy to announce sbt 1.12.14 and sbt 2.0.3.
sbt 2.0 is a new major series of sbt, based on Scala 3 constructs and Bazel-compatible cache system. sbt 2.x is released under Semantic Versioning, and the plugins are expected to work throughout the 2.x series. Please try it out, and report any issues you might come across.
How to upgrade
The sbt version used for your build is upgraded by putting the following in project/build.properties:
sbt.version=2.0.3
This mechanism allows that sbt 2.0.3 (or 1.12.14) is used only for the builds that you want.
Download the official sbt runner from SDKMAN, or download from https://github.com/sbt/sbt/releases/tag/v2.0.3 to upgrade the sbt shell script, sbtn, and the launcher.
🐛 Bug fixes
- fix: Fixes packager cache by @raboof in ivy#57
- deps: sjson-new 0.15.1, which transitively updates Jawn by @eed3si9n in #9458
- fix: Fixes JVM option capability in the launcher config by @anatoliykmetyuk in #9452
Participation
Thanks to everyone who’s helped improve sbt and Zinc by using them, reporting bugs, improving our documentation, porting builds, porting plugins, and submitting and reviewing pull requests.
For anyone interested in helping sbt, there are many avenues for you to help, depending on your interest. If you’re interested, Contributing, “help wanted”, “good first issue”, and Discussions are good starting points.
FYI - Scala Days talk
I gave a talk in Scala Days 2025 about sbt 2.0 (recording, slide deck).
Donate to Scala Center
Scala Center is a non-profit center at EPFL to support education and open source.