There’s a new version of sbt and Coursier with security vulnerability fix for CVE-2022-46751.
The vulnerability was originally found and fixed in Apache Ivy, but similar issue was found in Coursier as well. The fix was backported to sbt’s Ivy fork and Coursier by @adpi2 at Scala Center. Any tooling using Coursier should upgrade to Coursier 2.1.6.