Skip to content

Bump semgrep from 1.130.0 to 1.134.0#199

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/semgrep-1.134.0
Closed

Bump semgrep from 1.130.0 to 1.134.0#199
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/semgrep-1.134.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 29, 2025

Bumps semgrep from 1.130.0 to 1.134.0.

Release notes

Sourced from semgrep's releases.

Release v1.134.0

1.134.0 - 2025-08-27

Added

  • pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

Release v1.133.0

1.133.0 - 2025-08-22

Added

  • Pro: improved prefiltering for interfile rules. This allows the engine to skip interfile rules earlier in the process when we determine they cannot match in a given scan, which should improve performance. (code-8524)
  • Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)

Fixed

  • Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
  • We now substitute metavariables for their values in a deterministic order to ensure keys for match-based IDs are stable. (gh-4459)
  • Fixed incorrect YAML parsing of strings like nan as well as some more obscure cases that were interpreted as a float instead of a string. This might affect any area of Semgrep that deals with YAML files containing the string nan. (yaml-float-parsing)

Release v1.132.0

1.132.0 - 2025-08-14

Added

  • PHP: When enabling option taint_assume_safe_booleans the return values of boolval, is_bool, and || will be considered safe. When enabling taint_assume_safe_numbers the return values of intval, floatval, +, -, *, / and % will also be considered safe. (php)
  • When performing secrets validation, the amount of time that the HTTP request took to complete will now be visible in the debug logs. (#2130)
  • Introduces a timeout to internal HTTP requests, to prevent remote endpoints from indefinitely hanging the engine. (#4295)

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.134.0 - 2025-08-27

Added

  • pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

1.133.0 - 2025-08-22

Added

  • Pro: improved prefiltering for interfile rules. This allows the engine to skip interfile rules earlier in the process when we determine they cannot match in a given scan, which should improve performance. (code-8524)
  • Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)

Fixed

  • Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
  • We now substitute metavariables for their values in a deterministic order to ensure keys for match-based IDs are stable. (gh-4459)
  • Fixed incorrect YAML parsing of strings like nan as well as some more obscure cases that were interpreted as a float instead of a string. This might affect any area of Semgrep that deals with YAML files containing the string nan. (yaml-float-parsing)

1.132.1 - 2025-08-14

No significant changes.

1.132.0 - 2025-08-14

Added

  • PHP: When enabling option taint_assume_safe_booleans the return values of boolval, is_bool, and || will be considered safe. When enabling taint_assume_safe_numbers the return values of intval, floatval, +, -, *, / and % will also be considered safe. (php)
  • When performing secrets validation, the amount of time that the HTTP request

... (truncated)

Commits
  • 32f65fd chore: release version 1.134.0
  • 0d5c006semgrep/semgrep-proprietary#4546
  • 45bb455semgrep/semgrep-proprietary#4537
  • e7a8877semgrep/semgrep-proprietary#4543
  • d8e6946 nit(tracing): only log a debug message if ddprof is not on (semgrep/semgrep-p...
  • 748a190 feat: use RPC validation to generate errors for semgrep scan (semgrep/semgrep...
  • a6a0666 chore(sca-parsing): fix go tool directive parsing (semgrep/semgrep-proprietar...
  • 424929csemgrep/semgrep-proprietary#4522
  • b328f9a Cron - update semgrep-rules and semgrep-rules-pro submodules (semgrep/semgrep...
  • 860fdcf feat: support for parsing join mode rules in semgrep-core (semgrep/semgrep-pr...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump semgrep from 1.130.0 to 1.134.0
5d17a98 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.130.0 to 1.134.0.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.130.0...v1.134.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-version: 1.134.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Aug 29, 2025
@dependabot dependabot bot requested a review from asullivan-blze as a code owner August 29, 2025 00:13
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Aug 29, 2025
@dependabot dependabot bot mentioned this pull request Aug 29, 2025
Closed
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 4, 2025

Superseded by #201.

@dependabot dependabot bot closed this Sep 4, 2025
@dependabot dependabot bot deleted the dependabot/pip/semgrep-1.134.0 branch September 4, 2025 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asullivan-blze asullivan-blze Awaiting requested review from asullivan-blze asullivan-blze is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants