chore(deps): update pre-commit hook returntocorp/semgrep to v1.149.0

[alma-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change	Pending
returntocorp/semgrep	repository	minor	v1.103.0 -> v1.149.0	v1.150.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

returntocorp/semgrep (returntocorp/semgrep)

v1.149.0

Compare Source

1.149.0 - 2026-01-21

Added

• Added a warning in --debug mode when a user runs a parallel scan with a larger
  value for -j/--jobs than the number of CPUs we detect the host has made
  available to Semgrep. Additionally, a suggested starting value for -j/--jobs
  is reported to give the user a place to start tuning their scan. (saf-2474)
• Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)

Changed

• The MCP server no longer supports SSE transport. (saf-2462)

Fixed

• pro: Improved virtual method resolution in Java (code-9210)
• pro: Improved virtual method resolution in Scala (code-9212)
• Improve performance of scan planning, a part of the Python CLI, by reducing
  the cost of re-hashing Target objects. Performance should improve on
  large repo scans proportionally to the number of files in the repo. (gh-5407)
• semgrep ci no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)

v1.148.0

Compare Source

1.148.0 - 2026-01-14

Added

• Performance: subproject discovery in Supply Chain scans is no longer
  significantly slowed down by the presence of Git-untracked files
  resulting in faster diff scans in such cases. (sc-subproject-speedup)

Fixed

• pro: Improved virtual method resolution in Java (code-9174)
• pro: Improved handling of parse errors during inter-file analysis. Now, these
  errors should be adequately reported back to users and in the JSON output. (code-9216)
• Dataflow now accounts for Python for/else and while/else loops. (gh-8405)
• Fix rare "bad file descriptor" when performing Git operations on Windows (saf-2358)

v1.147.0

Compare Source

1.147.0 - 2026-01-07

Added

• Gradle lockfiles of the form gradle*.lockfile are now supported. Previously, only lockfiles named exactly gradle.lockfile were supported. (SC-2999)
• semgrep login now supports a --force flag, which ignores existing tokens and starts a new login session. The MCP setup workflow has been updated to use --force too. (saf-2392)

Fixed

• Deduplication should now pick the exact same findings across scans. Previously,
  findings were always equivalent, but not guaranteed to be exactly the same
  (e.g. metavariable bindings could differ). Depending on the rule and target code,
  this could cause findings' fingerprints to change from one scan to another, thus
  leading to finding flakiness and "cycling" in Semgrep App. Note that when
  upgrading to this Semgrep version, you may see different (but equivalent) findings
  wrt your current Semgrep version in the first scan, one more time. However, in
  subsequent scans/upgrades, this problem should go away or at least be greatly
  reduced. (saf-2304)

v1.146.0

Compare Source

1.146.0 - 2025-12-17

Added

• Added support for Cursor post-code-generation hooks via new record-file-edit and stop-cli-scan semgrep mcp flags (cursor-hooks)
• Added skipped_paths field to CI scan results to report files that failed to scan due to errors (timeout, OOM, etc.), preventing the app from incorrectly marking findings in those files as fixed (gh-5122)
• Symbol analysis, if enabled, now runs for Supply Chain only scans when calling semgrep ci. (sc-2927)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.22 to 3.23 (docker-version)
• bumped the mcp python-sdk from 1.16.0 to 1.23.3 (mcp-version)
• pro: [experimental] enabling and disabling transitive reachability
  analysis in semgrep ci regardless of app settings is now possible with
  --x-enable-transitive-reachability (or --x-tr)
  and --x-disable-transitive-reachability. (tr-flags)

Fixed

• The PHP AST now distinguishes between if statements with no else clause and those with an explicit but empty else {}. (gh-11330)
• git-lfs objects are now excluded from baseline scans, as they are usually binary files, or simply too large to scan. (saf-2020)
• Fix a OCaml stdlib bug that would cause nondeterministic UnixErrors on Windows under the multicore runtime due to a race condition in the socketpair implementation (saf-2316)
• Fixed an issue that in rare cases could lead timeouts to be mishandled. This typically manifested only through slightly different warning messages, but it is possible that more serious consequences could have occasionally resulted. (saf-2368)
• Fixed symbol analysis incorrectly analyzing all files instead of only the relevant language files per ecosystem. (sc-3020)

v1.145.0

Compare Source

1.145.0 - 2025-12-04

Added

• Added optional user-prompting for classifying findings as true/false positives via MCP Elicitation in the MCP server (behind SEMGREP_FINDINGS_ELICITATION_ENABLED, off by default). (elicitation)
• Added hook to inject secure-by-default library recommendations into Claude Code Agent context. (secure-defaults-hook)

Changed

• Symbol analysis upload now runs before scan completion to ensure it is available during initial scan postprocessing. (sc-2933)

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
• The correct range for let ... in expressions in OCaml is now reported. Previously, the location of the let was omitted. This is mainly relevant for autofix. (ocaml-let)
• Debug log lines concerning telemetry collection that are only relevant inside
  Semgrep's managed scanning environment are not emitted if a scan runs outside
  that environment. (saf-2321)
• pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

v1.144.0

Compare Source

1.144.0 - 2025-11-19

Fixed

• pro: interfile scans no longer default to -j 1; instead, the number of
  available CPUs on the system is polled as part of a heuristic to determine how
  many threads should be spawned. (gh-4952)
• Semgrep will no longer rarely crash when --trace is passed. (incid-280)

v1.143.0

Compare Source

1.143.0 - 2025-11-12

Added

• Dataflow will now understand empty block expressions as having unit value in
  more instances. (code-9141)
• Parallel scans will now use shared-memory parallelism using multicore OCaml
  domains, rather than the legacy fork-join approach. Users can opt into the
  legacy method with the --x-parmap CLI flag, and this deprecates the --x-eio
  flag (since it is now the default behaviour). (saf-2271)
• Add -k/ --hook flag to enable Semgrep scans via Claude Code Agent post-tool hooks (saf-2279)

Fixed

• When running semgrep scan or semgrep ci, the progress bar now always ends at 100%. (SAF-2079)
• Pro: fixed various bugs relating to Scala match expression handling in dataflow
  analysis (e.g., some branches being misordered, especially when matching
  multiple variables against non-integer literal patterns). (code-9144)
• Semgrep will now emit better error messages when exceptions are raised at the beginning or end of scan (exit-message)
• Enabled taint tracking into Goroutines, by treating them as regular Go function calls. (gh-11207)
• Fixed missing Rust type alias translation. We can now
  accurately match the () type in a type declaration. (gh-11283)
• fixed MCP semgrep_findings tool to accept single issue_type parameter and corrected identity string role parsing (saf-2282)

v1.142.0

Compare Source

1.142.0 - 2025-10-30

Added

• Pro: improved taint handling of match expressions in Scala. In examples like

  val x = taint match {
      case Some(t) => t
      case None => return "example"
  }

  dataflow should now track taint from taint to x. (code-9085)
• pro: scala: http4s-specific support for case $M -> ... :? ... +& test +& ... => ... patterns. (code-9131)

Fixed

• Supply Chain subproject resolution table is now shown even when no subprojects were successfully resolved (SC-2492)
• UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies will be ignored. (SC-2888)
• Failures in parsing UV lockfiles are now correctly reported as "Failed" rather than "Unsupported" (SC-2895)
• build.gradle.kts files now resolve correctly when --allow-local-builds is passed. (SC-2899)
• Rule parsing in 1.139.0 was switched to happen solely in semgrep-core. This caused some users to exit with code 7, so this change has been reverted. (saf-2265)

v1.141.0

Compare Source

1.141.0 - 2025-10-23

Added

• pro: scala: http4s-specific support for $M -> ... / $X / ... patterns (code-9114)

Fixed

• Improved detection of implicitly returned expressions.
  Functions in some languages, such as Ruby and Scala, can return a value without an explicit return statement.
  More expressions, such as string interpolation, are now correctly identified as implicitly returned. (code-9101)
• Scala: Parser now accepts an $MVAR as a pattern alias (@), so
  e.g. case $X @​ ... => ... is now a valid pattern. (code-9130)
• fixed an issue where CamlinternalLazy.Undefined would occur while using eio multicore (saf-1877)

v1.140.0

Compare Source

1.140.0 - 2025-10-16

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match
  individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message
  when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated,
  persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use
  the MCP with the streamable-http tranport method. (saf-2264)

v1.139.0

Compare Source

1.139.0 - 2025-09-30

Added

• --pro-intrafile scans will now add built-in taint propagators, like --pro does,
  hence producing extra findings. For example, in Java, list.add(taint) will now
  make list tainted even if the rule does not explicitly request that. Scan times
  should not be generally affected in a significant way. (code-9103)
• Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
• Associate Containerfiles with the dockerfile language (gh-11091)

Changed

• Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#​4346, #​4269, #​4379) (gh-4379)
• MCP: Removed the config parameter from the semgrep_scan tools, to prevent
  agents from inserting unwanted config files to scan with. (saf-2258)

Fixed

• scala: Fixed matching of { case ... => ... } patterns. (code-9111)
• Fixed a bug preventing metavariable-comparisons with more than two subsequent "and" or "or" conditions from producing findings. For example, the condition $X > 1 or $Y > 1 or $Z > 1 would previously always evaluate to false. Now, it will behave as expected. (gh-11209)
• MCP: Fixed an issue where the semgrep_scan tool, when invoking the RPC-based
  scanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
• MCP: The semgrep_findings tool now gives a suitable error message when erring due
  to insufficient permissions on standard semgrep login tokens. (saf-2254)
• MCP: Fixed a bug where if the user is already logged in when running the setup flow,
  the Semgrep Pro Engine installation step would be ignored. (saf-2259)

v1.138.0

Compare Source

1.138.0 - 2025-09-25

Added

• pro: scala: Method dispatching through traits (code-9092)

Changed

• Pro: additionally improved prefiltering for taint rules, especially when using
  taint labels. This allows for the generation of more specific conditions than
  the previously released version (v1.133.0). (code-9097)

Fixed

• pro: python: Fix resolution of implicit namespace modules (code-9008)
• We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs
  passed to -f/-c/--config during config/rules fetching. (gh-11016)
• Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...}
  no longer fails to parse. (saf-2159)
• pro: improved performance of tsconfig.json matching for Typescript projects
  that contain multiple tsconfig.jsons. (saf-2163)
• Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

1.137.0 - 2025-09-17

Added

• pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
• Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
  used to live at https://github.com/semgrep/mcp. That repository will be deprecated
  as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)

Changed

• Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)

Fixed

• Fix incorrect interpretation of \# and \ in glob patterns found in
  Semgrepignore and included Gitignore files. (fix-glob-escape)
• Removed pkg_resources is deprecated warning by bumping opentelemetry-*
  packages (gh-11069)
• Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

1.136.0 - 2025-09-09

No significant changes.

v1.135.0

Compare Source

1.135.0 - 2025-09-03

No significant changes.

v1.134.0

Compare Source

1.134.0 - 2025-08-27

Added

• pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

v1.133.0

Compare Source

1.133.0 - 2025-08-22

Added

• Pro: improved prefiltering for interfile rules. This allows the engine to skip
  interfile rules earlier in the process when we determine they cannot match in a
  given scan, which should improve performance. (code-8524)
• Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)

Fixed

• Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
• We now substitute metavariables for their values in a deterministic order to
  ensure keys for match-based IDs are stable. (gh-4459)
• Fixed incorrect YAML parsing of strings like nan as well as some more
  obscure cases that were interpreted as a float instead of a string. This
  might affect any area of Semgrep that deals with YAML files containing
  the string nan. (yaml-float-parsing)

v1.132.0

Compare Source

1.132.0 - 2025-08-14

Added

• PHP: When enabling option taint_assume_safe_booleans the return values of
  boolval, is_bool, and || will be considered safe.
  When enabling taint_assume_safe_numbers the return values of intval,
  floatval, +, -, *, / and % will also be considered safe. (php)
• When performing secrets validation, the amount of time that the HTTP request
  took to complete will now be visible in the debug logs. (#​2130)
• Introduces a timeout to internal HTTP requests, to prevent remote endpoints
  from indefinitely hanging the engine. (#​4295)

Changed

• Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)

Fixed

• Language server: Made it so that errors which occur no longer pop up in while using the
  IDE. They still log, but will no longer be displayed via UX. (saf-2193)
• When validating the results of a secrets scan, do not have more than 256
  outstanding validators executing at a given time. (#​2130)

v1.131.0

Compare Source

1.131.0 - 2025-07-30

Fixed

• Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a PR. (better-merge-base)
• Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
• When processing a target with debug logging enabled, we now only log the target
  path rather than the entire internal structure representation. This allows for
  more succinct log files and no longer introduces mid-entry newlines, which can
  break log-parsing tooling. (gh-4315)
• Language server: Fixed a bug which broke the Sign in command (saf-2151)
• CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
• Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)

v1.130.0

Compare Source

1.130.0 - 2025-07-23

Fixed

• Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)

Also includes changes from the canceled 1.129.0 release

Added

• A warning is now printed for each exclude or include pattern found in rules
  that is considered ambiguous (paths.exclude, paths.include).

  Currently, a pattern that contains a middle slash such as src/*.c
  is considered floating or unanchored by our implementation. In order to
  be compliant with Gitignore and Semgrepignore, src/*.c
  should be treated as anchored. Since many programmers are unaware of this
  subtlety in the Gitignore specification, Semgrep now prints a warning asking
  the user to lift the ambiguity. A user will now be asked to
  change their pattern src/*.c into either /src/*.c (anchored) or
  **/src/*.c (floating). This clarifies the expected behavior for readers
  of Semgrep rules and will avoid problems when Semgrep rules adopt
  the Gitignore/Semgrepignore behavior. (rule-paths-middle-slash-patterns)

• Secrets: Validation for AWS credentials which failed due to possibly transient
  reasons is now retried (3 attempts max). (scrt-917)

Fixed

• When running semgrep scan in a docker container without an argument
  and no target project was mounted under /src,
  instead of a silent exit with code 2, a helpful error message is
  now printed before exiting. (docker-mount-error)
• In-rule path filters (paths.exclude, paths.include) now apply to
  normalized file paths relative to the project root. This makes rule selection
  independent from the current work folder.
  Patterns with a leading slash such as /src are now anchored instead
  of being floating. For example, exclude: [ "/src" ] will exclude the target
  file src/main.c but no longer excludes misc/src/main.c. (rule-paths-leading-slash-patterns)
• Fixed a bug where a Unix.Unix_error would occasionally crash the experimental language server
  on startup. (saf-2133)
• CLI: Only log a sample of the response from the get_targets endpoint.
  Previously, scanning large repos with the debug flag significantly ballooned
  the size of the output log. (saf-2145)

v1.128.0

Compare Source

1.128.0 - 2025-07-03

Added

• HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)

Fixed

• Java: Deprecated class $A partial class pattern, in favor of

  class $A { ... }
  ``` (safe-2104)
  

v1.127.0

Compare Source

1.127.0 - 2025-06-24

Fixed

• pro: typescript: Prevent stack overflows and out-of-memory issues when reading
  TS configs. (code-8678)

v1.126.0

Compare Source

1.126.0 - 2025-06-18

Fixed

• Missing version constraints in yarn.lock descriptors no longer raise parsing errors (sc-2293)

v1.125.0

Compare Source

1.125.0 - 2025-06-11

Added

• Dependency resolution errors that result from local builds are now reported in the scan log by default. (SC-2442)
• Adds reporting of SSC subproject dependency resolution to the output when using --json. (SC-2458)
• Semgrep's JSON output now will always include some basic profiling data (WIP). (code-8529)
• C# Dependency Parsing can now handle dependencies with "Project" & "CentralTransitive" transitivities. (sc-2376)

Fixed

• Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)
• Added support for npm aliasing in package-lock.json, fixing a bug where packages would rarely be misidentified. (SC-2387)
• Fixed scenario where case statements with ellipsis did not match patterns correctly. (gh-10086)
• Nosemgrep ignore comments no longer require exactly one space before, allowing for more commenting styles. (gh-11041)
• Fixed bug where Javascript autofix breaks syntax for if statements by consuming parentheses. (gh-9522)
• Fix: the Semgrep findings returned by the Semgrep language server (LSP)
  are now sorted correctly based on their location within files.
  This benefits all the Semgrep IDE extensions (VSCode, IntelliJ). (ide-findings-order)
• fixed an issue where semgrep ci logs in GitLab would return an incorrect URL
  with the wrong &ref=... argument. (saf-959)

v1.124.0

Compare Source

1.124.0 - 2025-06-04

Added

• Parallelizes rule validation to improve performance when scanning with many rule files. (SAF-2061)
• Semgrep should now respect ALL_PROXY, HTTP_PROXY, HTTPS_PROXY,
  NO_PROXY, PROXY_USERNAME and PROXY_PASSWORD for all networking (including
  that done via the OCaml components). Moreover, the environment variable
  OCAML_EXTRA_CA_CERTS should now allow additional CA certs to be used for
  network operations done by OCaml components. (code-8157)

Fixed

• Stop attempting to parse build.gradle.kts files as build.gradle. (SC-2209)
• Taint rules using the experimental feature labels, and specifying sinks
  with a requires: of the form not A, could produce findings with an empty
  list of traces, potentially causing a crash. We now recognize the issue and
  prevent the crash from happening. (code-8531)
• Fixed inconsistency where the empty Python fstring f"" was not matched by the pattern "...". (gh-10047)
• Fixed bug where dev depenencies (and their dependencies, and so on) were incorrectly marked as "transitivity: unknown" when parsing package-lock.json projects, specifically v3 lockfiles. (gh-4003)
• Fixed scenario where a multiplication expression of ints was not considered an int. This will help with metavariable-type. Concretely, "2 * groups" was not considered an int, where groups is an int. Additionally adds type inference for mod, floor division, and pow. (gh-9855)
• pro: python: Fixed a regression that could (in rare cases) cause naming to take a
  disproportionate amount of time significantly slowing down scans. (saf-1978)

v1.123.0

Compare Source

1.123.0 - 2025-05-28

Fixed

• Fixed bug where supply chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable. (SC-2088)
• Fixed documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in. (gh-11028)

v1.122.0

Compare Source

1.122.0 - 2025-05-14

Added

• Adds support for the UV package manager in Supply Chain scans. (SC-1900)

Fixed

• pro: Fixed inter-file naming bug affecting Go's struct-methods that could result
  in false negatives.

  Previously, adding a pattern-inside like

  func ($THING $TYPE) $FUNC(...) $R { ... }
  

  to a taint rule could cause some findings to incorrectly stop being reported. (code-7767)

• PRO: Fixed the issue with type matching when a type has a type parameter, e.g., matching the pattern std::vector<$T> with the code std::vector<int> v in C++. (code-8443)

• Make Nuget dependency child parsing case insensitive (sc-2355)

• Fixed bug where direct dev depenencies were not marked as direct when parsing package-lock.json projects. (sc-dev)

v1.121.0

Compare Source

1.121.0 - 2025-05-06

Added

• pro: Improved handling of tsconfig.json in instances where multiple
  typescript "projects" (i.e., separately rooted source directories with their
  own configurations not joined by a single tsconfig.json with project
  references) are being scanned as one project under semgrep. This should result
  in better name/module resolution in TypeScript. (code-7798)
• pro: Improved handling of include, exclude and files properties in
  tsconfig.json. Projects which use more than one tsconfig in a given directory
  which apply to different sets of files under that directory should see
  improvements in name/module resolution. (code-7798-a)
• Improved Supply Chain scan output and logging. (sc-2356)

Changed

• Upgrade the Julia parser to the tree-sitter-julia 0.22.0 (gh-10820)

Fixed

• Fix bug introduced in Semgrep 1.120.0 causing interfile analyses to run out of memory due to too many parallel jobs. The default setting had been accidentally set to the number of available CPUs which is often too much in interfile mode. It's now back to -j1 and it can be overridden by the user. (interfile-num-jobs)
• Fixed CI output so it shows per-product links depending on what product is enabled in a scan. (pr-3776)
• CLI: Fixed a bug where --disable-nosem was not properly causing nosemgrep'd findings
  to be uploaded to the App. (saf-1982)
• Exempt large manifests & lockfiles from being ignored by semgrep's file size filtering.
  This fixes a regression introduced in 1.117.0 (sca-1705). (sc-1705)

v1.120.0

Compare Source

1.120.0 - 2025-04-22

Added

• Added a few new entries in the .semgrepignore default file
  (e.g., _cargo, _opam, .svn) (semgrepignore)
• Add an experimental option --x-semgrepignore-filename to change the name of .semgrepignore files to something else. This can be used to scan a subproject in a separate semgrep invocation as the rest of the containing project. (semgrepignore-filename)

Fixed

• Fixed bug in pro package-lock.json parsing where dependencies with no specified version would cause an exception (SC-2150)
• Fixed the default -j setting so as to take into account the cgroup
  CPU quota on Linux. This will affect Docker and other containerized
  environments that share resources on the same host. Use the new command
  semgrep show resources --experimental to show the default setting. (saf-1950)

v1.119.0

Compare Source

1.119.0 - 2025-04-16

Added

• python: Semgrep will now perform dataflow analysis within and through comprehensions. (saf-1560)
• A new subcommand semgrep show project-root is now provided to display
  the project root path associated with a scan root. This is useful for
  troubleshooting Semgrepignore (v2) issues. (saf-1936)

Fixed

• tainting: Apply taint_assume_safe_numbers and taint_assume_safe_booleans
  earlier when considering to track taint through class fields and function
  parameters. If the field/parameter has a number/Boolean type and the
  corresponding option is set, it will just not be tracked. In some cases this
  can help with performance.

  Also added short/Short to the list of integer types recognized by
  taint_assume_safe_numbers. (code-8345)

• IDE: The Semgrep VS Code Extension will no longer hang on Getting code actions from Semgrep...
  on saving a file, when updating rules. (saf-1954)

v1.118.0

Compare Source

1.118.0 - 2025-04-09

Fixed

• Pro: Failure to parse a package.json file when analysing JavaScript or
  TypeScript is no longer a fatal error. (code-8227)

• taint-mode: Fixed bug in taint "auto-cleaning" where we automatically clean the
  LHS of an assigmnet if the RHS is clean, provided that the LHS is not subject to
  any "side-effects". In some cases, this could cause the taint analysis to timeout.
  Some combinations of rules and repos will see a major perf improvement, in other
  cases it may not be noticeable. (code-8288)

• In a Semgrep rule's metadata section, two fields may provide URLs:

  • source: populated dynamically by the Semgrep registry serving the rule, it's a URL that
    offers information about the rule.
  • source-rule-url: optional string, a URL for the source of inspiration for the rule.

  The SARIF format supports only one URL under the field helpUri.
  Previously, Semgrep populated the SARIF helpUri field only with metadata.source.
  This fix is to use metadata.source if available, otherwise falling back to metadata.source-rule-url.

  Contributed by @​candrews. (gh-10891)

v1.117.0

Compare Source

1.117.0 - 2025-04-02

Added

• Add temporary backward compatibility in Semgrepignore v2 for patterns
  that start with ./. For example, the pattern ./*.py should be written as
  /*.py to have the desired effect of excluding the .py files
  located in the same directory as the .semgrepignore file containing
  the pattern.
  To minimize surprises for users switching to Semgrepignore v2,
  we'll be interpreting automatically ./*.py as /*.py for the time
  being so as to match the legacy Semgrepignore v1 behavior. Users should not
  rely on this since it doesn't comply with the Gitignore/Semgrepignore
  standard and will be removed in the future. (tolerate-semgrepignore-v1-dotslash)
• Target file selection now uses
  Semgrepignore v2 by default. This brings the behavior of the Semgrepignore file
  exclusions closer to Git and .gitignore files. There can now
  be multiple .semgrepignore files in the project. The .semgrepignore file
  in the current folder is no longer consulted unless it in the project.
  Negated patterns are now supported such as !scanme.py as with Gitignore.
  Some bugs were fixed. (use-semgrepignore-v2)

Changed

• Upgrade Semgrep from OCaml 5.2.1 to 5.3.0 (#​3)

Fixed

• In Semgrepignore v2, allow wildcards * and ? to match file names with a leading period. This matches the behavior of Gitignore and Semgrepignore v1. (semgrepignore-dotfiles)

v1.116.0

Compare Source

1.116.0 - 2025-03-28

Fixed

• Use value of $XDG_CACHE_HOME before hardcoded ~/.cache for semgrep_version file (gh-4465)

v1.114.0

Compare Source

1.114.0 - 2025-03-19

Fixed

• Pro Engine now more accurately tracks the scope of Python local variables. For
  example, the following code defines two z variables that should be tracked
  separately.

  z = 1
  
  def foo():
      z = 2
      a = z
  

  The Pro engine now correctly recognizes that the z assigned to a is the one
  defined in the local scope, not the global scope. (code-8114)

v1.113.0

Compare Source

1.113.0 - 2025-03-17

Fixed

• Semgrep will no longer fail a diff scan if there is a relative safe directory (saf-1851)

v1.112.0

Compare Source

1.112.0 - 2025-03-13

Added

• TypeScript parser now allows ellipses in class bodies. For example, you can
  write the pattern like:

  class $C {
    ...
    $FUNC() { ... }
    ...
  }
  ``` (code-8242)
  

• Semgrep will now present more detailed info when a scan is complete, such as what percent of lines were scanned. It is also formatted in a new manner (saf-details)
• Verbose output will now print additional info about parsing and internal semgrep errors, such as what % of lines were skipped, and the lines they occured on (saf-verbose)

Fixed

• pro: Fixed bug in (experimental) "at-exit" sinks feature that would prevent
  the identification of a statement like return foo() as one such sink. (code-8199)
• FIX: --gitlab-secrets output has been updated to conform to GitLab JSON schema (scrt-849)
• The behavior of --semgrepignore-v2 changed to be closer to the legacy
  Semgrepignore v1. .gitignore files are no longer loaded automatically
  as part of the Semgrepignore v2 exclusion mechanism.
  Loading a .gitignore file must be done
  by placing :include .gitignore in the .semgrepignore file
  as was the case with Semgrepignore v1. (semgrepignore-v1-compat)

v1.111.0

Compare Source

1.111.0 - 2025-03-04

Changed

• Removed .semgrepignore file lookup using the SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE environment variable. This was used by semgrep-action which
  has been deprecated. (semgrep-action)

Fixed

• pro: Fixed bug that could prevent taint tracking from following a virtual call
  in JS/TS. (code-8065)
• PRO: Restricted heuristic search of the Python module path to paths only under
  the project root to reduce inaccuracies in module resolution. This change
  mitigates the risk of resolving module specifiers to incorrect paths,
  particularly in cases involving common library names (e.g., django). (code-8146)
• Fix the incorrect schema and analysis type in the JSON output of the secret
  findings when using the --gitlab-secrets flag. (scrt-833)

v1.110.0

Compare Source

1.110.0 - 2025-02-26

Added

• pro: Inter-file analysis will now process Javascript and Typescript files
  together, so that taint can be tracked across both languages. (code-8076)

• Pro: new metavariable-name operator which allows for expressing a constraint
  against the fully qualified name or nearest equivalent of a metavariable
  (useful mainly in JavaScript and TypeScript, where there is no first-class
  syntax for this, or where such names or pseudo-names containt symbols which
  cannot appear in identifiers). Requires pro naming passes and works best with
  interfile naming.

  Additional documentation forthcoming. (code-8121)

Changed

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our PyPI and Homebrew distributions. Our Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. (ocaml5)

Fixed

• Fixed a regression in pro interfile mode where type inference for the var
  keyword in Java was not functioning correctly. (code-7991)

• PRO: Fix the range not found error when using a metavariable pattern match on
  a typed metavariable. For example, the following metavariable pattern rule will
  no longer trigger the error:

  patterns:
    - pattern: ($FOO $VAR).bar()
    - metavariable-pattern:
        metavariable: $FOO
        pattern-either:
          - pattern: org.foo.Foo
  ``` (code-8007)
  

• lsp will no longer send diagnostics where the message is MarkupContent since
  our current implementation does not discriminate on the client capability for
  recieiving such diagnostics (to-be-added in 3.18). (code-8120)

• Yarn.lock parser now correctly denotes NPM organization scope. (sc-2107)

• Packages in Package.resolved without a version are now ignored. (sc-2116)

• Updated Package.swift parser to support:

  • The url value in a .package entry doesn't have to end with .git
  • You can have an exact field that looks like exact: "1.0.0" instead of .exact("1.0.0")
  • The exact version can be an object like Version(1,2,3) instead of a string
  • You can have .package values with no url, like this: .package(name: "package", path: "foo/bar") (sc-2117)

v1.109.0

Compare Source

1.109.0 - 2025-02-19

Changed

• Pyproject.toml files are now parsed using a toml parser (tomli). (sc-2054)

Fixed

• pro: taint-mode: Fixed limitation in custom taint propagators.
  See https://semgrep.dev/playground/s/ReJQO (code-7967)
• taint-mode: Disable symbolic-propagation when matching taint propagators
  to prevent unintended interactions. See https://semgrep.dev/playground/s/7KE0k. (code-8054)
• Fixed pattern match deduplication to avoid an O(n^2) worst-case complexity, and
  optimized the matching of ordered ..., PAT, ... patterns. (saf-682)

v1.108.0

Compare Source

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and
  "semgrep.policy:" are now filtered from the JSON output unless you
  are logged in with the Semgrep appsec platform.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully.
  Instead of erroring, we continue to scan so that the user can still get results, but
  log the error. It also adds a guard so that this failure is less likely to happen
  and will include more debugging information when it does. (sms-521)

v1.107.0

Compare Source

1.107.0 - 2025-02-04

Added

• More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
• Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

• The pro engine now respects the correct order of field resolution in Scala's
  multiple inheritance. The type that appears later takes precedence when
  resolving fields. For example, in class A extends B with C with D, the order
  of precedence is D, C, B, and A. (code-7891)
• pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
• pro: python: Fixed resolution of calls to the implementation of abstract methods.
  See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
• Fixed the semgrep ci --help to not include experimental options
  like --semgrep-branch (saf-1746)
• Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
• Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

v1.106.0

Compare Source

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

v1.104.0

Compare Source

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some
  type A, Semgrep will match any type B that is a subtype of A, but in certain
  situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

  B b = new B(taint);
  B b1 = b;
  sink(b1.getTaintedData());
  

  The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

• Python: Parser updated to the most recent tree-sitter grammar.
  Parse rate from 99.8% -> 99.998%. (saf-1810)

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud