{"id":37021586,"url":"https://github.com/scalacenter/sbt-eviction-rules","last_synced_at":"2026-01-14T02:33:31.145Z","repository":{"id":44814598,"uuid":"269367089","full_name":"scalacenter/sbt-eviction-rules","owner":"scalacenter","description":"An sbt plugin enhancing the evicted key.","archived":true,"fork":false,"pushed_at":"2022-10-21T23:32:51.000Z","size":54,"stargazers_count":19,"open_issues_count":2,"forks_count":5,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-07-30T18:03:46.755Z","etag":null,"topics":["dependency-management","sbt","scala"],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scalacenter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-06-04T13:28:22.000Z","updated_at":"2023-11-07T12:54:48.000Z","dependencies_parsed_at":"2022-08-27T10:50:30.511Z","dependency_job_id":null,"html_url":"https://github.com/scalacenter/sbt-eviction-rules","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/scalacenter/sbt-eviction-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scalacenter%2Fsbt-eviction-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scalacenter%2Fsbt-eviction-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scalacenter%2Fsbt-eviction-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scalacenter%2Fsbt-eviction-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scalacenter","download_url":"https://codeload.github.com/scalacenter/sbt-eviction-rules/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scalacenter%2Fsbt-eviction-rules/sbom","scorecard":{"id":803208,"data":{"date":"2025-08-11","repo":{"name":"github.com/scalacenter/sbt-eviction-rules","commit":"0ba851b6d120902516449010d30ae461a9bcd672"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.3,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":3,"reason":"Found 5/13 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/scalacenter/sbt-eviction-rules/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/scalacenter/sbt-eviction-rules/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/scalacenter/sbt-eviction-rules/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/scalacenter/sbt-eviction-rules/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/scalacenter/sbt-eviction-rules/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/scalacenter/sbt-eviction-rules/ci.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   4 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/scalacenter/.github/SECURITY.md:1","Info: Found linked content: github.com/scalacenter/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/scalacenter/.github/SECURITY.md:1","Info: Found text in security policy: github.com/scalacenter/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 26 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T11:04:34.682Z","repository_id":44814598,"created_at":"2025-08-23T11:04:34.682Z","updated_at":"2025-08-23T11:04:34.682Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency-management","sbt","scala"],"created_at":"2026-01-14T02:33:29.433Z","updated_at":"2026-01-14T02:33:31.137Z","avatar_url":"https://github.com/scalacenter.png","language":"Scala","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e Note: this project is in maintenance mode because [sbt 1.5.0](https://github.com/sbt/sbt/milestone/68?closed=1)\n\u003e provides equivalent features. See [sbt/sbt#6221](https://github.com/sbt/sbt/pull/6221)\n\u003e for more details.\n\u003e \n\u003e You can still use the version 1.0.0-RC1 of this plugin in case you\n\u003e are stuck with an old version of sbt.\n\n# sbt-eviction-rules\n\nAn sbt plugin enhancing the `evicted` task.\n\nThis plugin:\n\n1. makes the output of `evicted` slightly more readable\n2. allows you to easily run eviction checks on your CI\n3. allows you to more easily configure evictions that can be ignored\n   (to avoid false positive warnings).\n\nNote: sbt has been gradually providing these features. As of sbt\n1.5.0, all of the features of this plugin are now supported by sbt\nout of the box. Nevertheless, this plugin can be useful if you are\nstuck with an old version of sbt.\n\n## Installation\n\nAdd to `project/plugins.sbt`:\n```scala\naddSbtPlugin(\"ch.epfl.scala\" % \"sbt-eviction-rules\" % \"1.0.0-RC1\")\n```\nThe latest version is [![Maven Central](https://img.shields.io/maven-central/v/ch.epfl.scala/sbt-eviction-rules-dummy_2.12.svg)](https://maven-badges.herokuapp.com/maven-central/ch.epfl.scala/sbt-eviction-rules-dummy_2.12).\n\n## Usage\n\nThe plugin provides the following tasks.\n\n### `evictionWarnings`\n\nUnlike the default `evicted` task, the `evctionWarnings` task reports only problematic\nevictions (ie, libraries that have been evicted by binary incompatible versions):\n\n```\n\u003e evictionWarnings\n[warn] Found eviction warnings in b:\n[warn] Found version conflict(s) in library dependencies; some are suspected to be binary incompatible:\n[warn]\n[warn] \t* org.scala-lang.modules:scala-xml_2.12:1.2.0 is selected over {1.0.6, 1.0.6}\n[warn] \t    +- eu.timepit:refined_2.12:0.9.12                     (depends on 1.2.0)\n[warn] ct    +- org.scala-lang:scala-compiler:2.12.11              (depends on 1.0.6)\n[warn] Found eviction warnings in a:\n[warn] Found version conflict(s) in library dependencies; some are suspected to be binary incompatible:\n[warn]\n[warn] \t* org.scala-lang.modules:scala-xml_2.12:1.2.0 is selected over {1.0.6, 1.0.6}\n[warn] \t    +- eu.timepit:refined_2.12:0.9.12                     (depends on 1.2.0)\n[warn] \t    +- org.scala-lang:scala-compiler:2.12.11              (depends on 1.0.6)\n[success] Total time: 1 s, completed jun 4 2020 16:05:22\n```\n\n### `evictionCheck`\n\nThis task turns the eviction warnings into errors. It succeeds only if\nthere are no eviction warnings in your build.\n\nYou typically want to invoke this task in your CI, to make sure that no\npull requests introduce eviction warnings.\n\n### `evicted`\n\nThe built-in `evicted` task is overridden to provide a more readable output.\nIt prints which of your projects each printed eviction comes from:\n\n```\n\u003e evicted\n[warn] Found eviction warnings in b:\n[warn] Found version conflict(s) in library dependencies; some are suspected to be binary incompatible:\n[warn]\n[warn] \t* org.scala-lang.modules:scala-xml_2.12:1.2.0 is selected over {1.0.6, 1.0.6}\n[warn] \t    +- eu.timepit:refined_2.12:0.9.12                     (depends on 1.2.0)\n[warn] ct    +- org.scala-lang:scala-compiler:2.12.11              (depends on 1.0.6)\n[warn] Found eviction warnings in a:\n[warn] Found version conflict(s) in library dependencies; some are suspected to be binary incompatible:\n[warn]\n[warn] \t* org.scala-lang.modules:scala-xml_2.12:1.2.0 is selected over {1.0.6, 1.0.6}\n[warn] \t    +- eu.timepit:refined_2.12:0.9.12                     (depends on 1.2.0)\n[warn] \t    +- org.scala-lang:scala-compiler:2.12.11              (depends on 1.0.6)\n[info] Found non problematic eviction(s) in c:\n[info] Here are other dependency conflicts that were resolved:\n[info]\n[info] \t* org.scala-lang.modules:scala-xml_2.12:1.2.0 is selected over {1.0.6, 1.0.6}\n[info] \t    +- eu.timepit:refined_2.12:0.9.12                     (depends on 1.2.0)\n[info] \t    +- org.scala-lang:scala-compiler:2.12.11              (depends on 1.0.6)\n[success] Total time: 1 s, completed jun 4 2020 15:54:04\n```\n\n## Configuration\n\nThe [recommended versioning scheme] in the Scala ecosystem is a (stricter) variant\nof Semantic Versioning, but not all libraries follow this versioning scheme.\n\nYou can configure which versioning scheme is used by which library by using the\n`evictionRules` setting:\n\n```scala\nevictionRules += \"org.scala-lang.modules\" %% \"scala-xml\" % \"semver-spec\"\n```\n\nThis specifies that `\"org.scala-lang.modules\" %% \"scala-xml\"` follows\nsemantic versioning, so that it's fine if version `1.2.0` is selected\nwhere `1.0.6` is expected (ie, no evictions will be reported).\n\nThe following compatibility types are available:\n- `early-semver`: assumes the matched modules follow a variant of [Semantic Versioning](https://semver.org)\n  that guarantees backward binary compatibility between minor releases (e.g., 1.1.1 and 1.2.0),\n  and between patch releases if the major version number is 0 (e.g., 0.7.2 and 0.7.3).\n- `semver-spec`: assumes the matched modules follow [Semantic Versioning](https://semver.org),\n  which guarantees backward binary compatibility between minor releases (e.g., 1.1.1 and 1.2.0),\n  but does not guarantee any compatibility between patch releases if the major version number\n  is 0 (e.g., 0.7.2 and 0.7.3).\n- `pvp`: assumes the matched modules follow [package versioning policy](https://pvp.haskell.org) (quite common in Scala),\n- `always`: assumes all versions of the matched modules are compatible with each other,\n- `strict`: requires exact matches between the wanted and the selected versions of the matched modules.\n\n\u003e Note that starting with sbt 1.4.x, libraries can embed the versioning\n\u003e scheme they use in their artifacts metadata, making the `evictionRules`\n\u003e setting unnecessary. This setting is still useful during the transition\n\u003e period.\n\n### Module patterns\n\n`evictionRules` accepts `*` as organization or module name, or as parts of them, to match several modules at once:\n\n```scala\nevictionRules += \"io.get-coursier\" %% \"*\" % \"pvp\"\nevictionRules += \"org.typelevel\" %% \"cats-*\" % \"semver-spec\"\n```\n\n## About the default eviction rules in sbt\n\nBy default, sbt assumes that\n- scala dependencies follow the [package versioning policy](https://pvp.haskell.org),\n- other dependencies follow [semantic versioning](https://semver.org).\n\nIf any eviction brings an incompatible version per those defaults, sbt warns about it in `update`\nand gives more details in `evicted`.\n\nsbt-eviction-rules then allows you to remove false warnings if you know that a library follows\nanother versioning scheme than PVP.\n\nNote that there can be slight discrepancies between the checks\nperformed by `evictionRules` and those performed by default by sbt:\nthe checks done by `evictionRules` are handled by the\n[coursier versions library](https://github.com/coursier/versions), while those\nof sbt are handled by the [`sbt/librarymanagement` library](https://github.com/sbt/librarymanagement).\n\n## Acknowledgments\n\n\u003cimg src=\"https://scala.epfl.ch/resources/img/scala-center-swirl.png\" width=\"40px\" /\u003e\n\n*sbt-eviction-rules* is funded by the [Scala Center](https://scala.epfl.ch).\n\n[recommended versioning scheme]: https://docs.scala-lang.org/overviews/core/binary-compatibility-for-library-authors.html#recommended-versioning-scheme\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscalacenter%2Fsbt-eviction-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscalacenter%2Fsbt-eviction-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscalacenter%2Fsbt-eviction-rules/lists"}