Skip to content

build(deps): bump semgrep from 1.141.1 to 1.144.1 #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

build(deps): bump semgrep from 1.141.1 to 1.144.1 #214

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 5, 2025

Bumps semgrep from 1.141.1 to 1.144.1.

Release notes

Sourced from semgrep's releases.

Release v1.144.0

1.144.0 - 2025-11-19

Fixed

  • pro: interfile scans no longer default to -j 1; instead, the number of available CPUs on the system is polled as part of a heuristic to determine how many threads should be spawned. (gh-4952)
  • Semgrep will no longer rarely crash when --trace is passed. (incid-280)

Release v1.143.0

1.143.0 - 2025-11-12

Added

  • Dataflow will now understand empty block expressions as having unit value in more instances. (code-9141)
  • Parallel scans will now use shared-memory parallelism using multicore OCaml domains, rather than the legacy fork-join approach. Users can opt into the legacy method with the --x-parmap CLI flag, and this deprecates the --x-eio flag (since it is now the default behaviour). (saf-2271)
  • Add -k/ --hook flag to enable Semgrep scans via Claude Code Agent post-tool hooks (saf-2279)

Fixed

  • When running semgrep scan or semgrep ci, the progress bar now always ends at 100%. (SAF-2079)
  • Pro: fixed various bugs relating to Scala match expression handling in dataflow analysis (e.g., some branches being misordered, especially when matching multiple variables against non-integer literal patterns). (code-9144)
  • Semgrep will now emit better error messages when exceptions are raised at the beginning or end of scan (exit-message)
  • Enabled taint tracking into Goroutines, by treating them as regular Go function calls. (gh-11207)
  • Fixed missing Rust type alias translation. We can now accurately match the () type in a type declaration. (gh-11283)
  • fixed MCP semgrep_findings tool to accept single issue_type parameter and corrected identity string role parsing (saf-2282)

Release v1.142.0

1.142.0 - 2025-10-30

Added

  • Pro: improved taint handling of match expressions in Scala. In examples like 
    

    • 






... (truncated)





Changelog

Sourced from semgrep's changelog.




1.144.1 - 2025-12-04


Fixed


    

  • Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
    • 

  • pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)
    • 



1.144.0 - 2025-11-19


Fixed


    

  • pro: interfile scans no longer default to -j 1; instead, the number of
available CPUs on the system is polled as part of a heuristic to determine how
many threads should be spawned. (gh-4952)
    • 

  • Semgrep will no longer rarely crash when --trace is passed. (incid-280)
    • 



1.143.3 - 2025-11-25


No significant changes.


1.143.2 - 2025-11-25


Fixed


    

  • Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
    • 



1.143.1 - 2025-11-14


Fixed


    

  • Semgrep will no longer rarely crash when --trace is passed. (incid-280)
    • 



1.143.0 - 2025-11-12


Added





... (truncated)





Commits






Dependabot compatibility score


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.





Dependabot commands and options



You can trigger Dependabot actions by commenting on this PR:


    

  • @dependabot rebase will rebase this PR
    • 

  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • 

  • @dependabot merge will merge this PR after your CI passes on it
    • 

  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • 

  • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • 

  • @dependabot reopen will reopen this PR if it is closed
    • 

  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • 

  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
    • 

  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • 

  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • 

  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • 




    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



          

        
      




  




      

       
            



      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @dependabot
  




      

        
          build(deps): bump semgrep from 1.141.1 to 1.144.1
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          dfd8e5f
        
      

    

  

    

      
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.141.1 to 1.144.1.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/returntocorp/semgrep/commits)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-version: 1.144.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

    







  








      

  
            


    

    

      
    

    


      


          @dependabot
dependabot
bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  python:uv

  Pull requests that update python:uv code

  labels


      Dec 5, 2025

    

  












  
  

    

      

  




      


    


    

      

        
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



      

    

  




  
          



      

  

    
    

    

  

    Reviewers
  


    

    No reviews






    
    

    

  


      
  

    Assignees
  



        


      

        


  
      @ukwhatn
  
    ukwhatn
    

      








      


  


  

    Labels
  



    

      

    dependencies

  Pull requests that update a dependency file
  

    python:uv

  Pull requests that update python:uv code








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
      

  

    

      2 participants
    

    

        
          @ukwhatn