Skip to content

Update dependency semgrep to >=1.139,<1.140 #1098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
renovate wants to merge 1 commit into from
Closed

Update dependency semgrep to >=1.139,<1.140 #1098

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2025

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Confidence
semgrep >=1.134,<1.135 -> >=1.139,<1.140 age confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.139.0

Compare Source

Added
  • --pro-intrafile scans will now add built-in taint propagators, like --pro does,
    hence producing extra findings. For example, in Java, list.add(taint) will now
    make list tainted even if the rule does not explicitly request that. Scan times
    should not be generally affected in a significant way. (code-9103)
  • Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
  • Associate Containerfiles with the dockerfile language (gh-11091)
Changed
  • Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#​4346, #​4269, #​4379) (gh-4379)
  • MCP: Removed the config parameter from the semgrep_scan tools, to prevent
    agents from inserting unwanted config files to scan with. (saf-2258)
Fixed
  • scala: Fixed matching of { case ... => ... } patterns. (code-9111)
  • Fixed a bug preventing metavariable-comparisons with more than two subsequent "and" or "or" conditions from producing findings. For example, the condition $X > 1 or $Y > 1 or $Z > 1 would previously always evaluate to false. Now, it will behave as expected. (gh-11209)
  • MCP: Fixed an issue where the semgrep_scan tool, when invoking the RPC-based
    scanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
  • MCP: The semgrep_findings tool now gives a suitable error message when erring due
    to insufficient permissions on standard semgrep login tokens. (saf-2254)
  • MCP: Fixed a bug where if the user is already logged in when running the setup flow,
    the Semgrep Pro Engine installation step would be ignored. (saf-2259)

v1.138.0

Added
  • pro: scala: Method dispatching through traits (code-9092)
Changed
  • Pro: additionally improved prefiltering for taint rules, especially when using
    taint labels. This allows for the generation of more specific conditions than
    the previously released version (v1.133.0). (code-9097)
Fixed
  • pro: python: Fix resolution of implicit namespace modules (code-9008)
  • We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs
    passed to -f/-c/--config during config/rules fetching. (gh-11016)
  • Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...}
    no longer fails to parse. (saf-2159)
  • pro: improved performance of tsconfig.json matching for Typescript projects
    that contain multiple tsconfig.jsons. (saf-2163)
  • Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

Added
  • pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
  • Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
    used to live at https://github.com/semgrep/mcp. That repository will be deprecated
    as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)
Changed
  • Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)
  • The minimum Python version for Semgrep is now 3.10. We are dropping support for Python 3.9.
Fixed
  • Fix incorrect interpretation of \# and \ in glob patterns found in
    Semgrepignore and included Gitignore files. (fix-glob-escape)
  • Removed pkg_resources is deprecated warning by bumping opentelemetry-*
    packages (gh-11069)
  • Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

No significant changes.

v1.135.0

Compare Source

No significant changes.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@clavedeluna clavedeluna closed this Oct 3, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate
Copy link
Contributor Author

renovate bot commented Oct 3, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (>=1.139,<1.140). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/all-minor-patch branch October 3, 2025 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drdavella drdavella Awaiting requested review from drdavella drdavella is a code owner

@andrecsilva andrecsilva Awaiting requested review from andrecsilva andrecsilva is a code owner

@clavedeluna clavedeluna Awaiting requested review from clavedeluna clavedeluna is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clavedeluna