Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
coverage	>=7.10,<7.11 -> >=7.11,<7.12			project.optional-dependencies	minor
python	3.13 -> 3.14			uses-with	minor
python	3.13 -> 3.14			final	minor
sarif-pydantic	~=0.5.1 -> ~=0.6.1			project.dependencies	minor
semgrep	>=1.134,<1.135 -> >=1.140,<1.141			project.optional-dependencies	minor

---

Release Notes

nedbat/coveragepy (coverage)

v7.11.0

Compare Source

• Dropped support for Python 3.9, declared support for Python 3.15 alpha.

.. _changes_7-10-7:

actions/python-versions (python)

v3.14.0: 3.14.0

Compare Source

Python 3.14.0

returntocorp/semgrep (semgrep)

v1.140.0

Compare Source

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match
  individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message
  when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated,
  persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use
  the MCP with the streamable-http tranport method. (saf-2264)

v1.139.0

Compare Source

Added

• --pro-intrafile scans will now add built-in taint propagators, like --pro does,
  hence producing extra findings. For example, in Java, list.add(taint) will now
  make list tainted even if the rule does not explicitly request that. Scan times
  should not be generally affected in a significant way. (code-9103)
• Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
• Associate Containerfiles with the dockerfile language (gh-11091)

Changed

• Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#​4346, #​4269, #​4379) (gh-4379)
• MCP: Removed the config parameter from the semgrep_scan tools, to prevent
  agents from inserting unwanted config files to scan with. (saf-2258)

Fixed

• scala: Fixed matching of { case ... => ... } patterns. (code-9111)
• Fixed a bug preventing metavariable-comparisons with more than two subsequent "and" or "or" conditions from producing findings. For example, the condition $X > 1 or $Y > 1 or $Z > 1 would previously always evaluate to false. Now, it will behave as expected. (gh-11209)
• MCP: Fixed an issue where the semgrep_scan tool, when invoking the RPC-based
  scanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
• MCP: The semgrep_findings tool now gives a suitable error message when erring due
  to insufficient permissions on standard semgrep login tokens. (saf-2254)
• MCP: Fixed a bug where if the user is already logged in when running the setup flow,
  the Semgrep Pro Engine installation step would be ignored. (saf-2259)

v1.138.0

Added

• pro: scala: Method dispatching through traits (code-9092)

Changed

• Pro: additionally improved prefiltering for taint rules, especially when using
  taint labels. This allows for the generation of more specific conditions than
  the previously released version (v1.133.0). (code-9097)

Fixed

• pro: python: Fix resolution of implicit namespace modules (code-9008)
• We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs
  passed to -f/-c/--config during config/rules fetching. (gh-11016)
• Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...}
  no longer fails to parse. (saf-2159)
• pro: improved performance of tsconfig.json matching for Typescript projects
  that contain multiple tsconfig.jsons. (saf-2163)
• Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

Added

• pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
• Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
  used to live at https://github.com/semgrep/mcp. That repository will be deprecated
  as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)

Changed

• Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)
• The minimum Python version for Semgrep is now 3.10. We are dropping support for Python 3.9.

Fixed

• Fix incorrect interpretation of \# and \ in glob patterns found in
  Semgrepignore and included Gitignore files. (fix-glob-escape)
• Removed pkg_resources is deprecated warning by bumping opentelemetry-*
  packages (gh-11069)
• Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

No significant changes.

v1.135.0

Compare Source

No significant changes.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud