Skip to content

chore(deps): update pre-commit hook returntocorp/semgrep to v1.169.0#179

Open
alma-renovate-bot[bot] wants to merge 1 commit into
developfrom
renovate/tools-and-pre-commit
Open

chore(deps): update pre-commit hook returntocorp/semgrep to v1.169.0#179
alma-renovate-bot[bot] wants to merge 1 commit into
developfrom
renovate/tools-and-pre-commit

Conversation

@alma-renovate-bot

@alma-renovate-bot alma-renovate-bot Bot commented Jun 7, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change Pending
returntocorp/semgrep repository minor v1.103.0v1.169.0 v1.170.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.


Release Notes

returntocorp/semgrep (returntocorp/semgrep)

v1.169.0

Compare Source

1.169.0 - 2026-07-08

### Infra/Release Changes
  • Updated Dart parser to a more recent upstream version. (LANG-579)

v1.168.0

Compare Source

1.168.0 - 2026-06-24

### Added
  • Added an experimental --x-dependency-paths flag to scan and ci that includes the full dependency path(s) for transitive supply-chain findings in --json and --sarif output. (SC-3547)
### Changed
  • Malicious supply chain rules are now labeled "Malicious" instead of "Basic" in the scan analysis summary table. (SC-3504)
### Infra/Release Changes
  • semgrep-core no longer depends on libpcre 8.x; libpcre2 10.x is now the sole regex engine. (drop-libpcre)
  • Aliengrep (generic mode) now uses the maintained libpcre2 10.x regular-expression library instead of the deprecated libpcre 8.x. Matching behavior is unchanged. (aliengrep-pcre2)
  • The metavariable-regex and metavariable-comparison (re.match()) runtimes now use the maintained libpcre2 10.x library instead of the deprecated libpcre 8.x. Matching behavior is unchanged. (eval-generic-pcre2)

v1.167.0

Compare Source

1.167.0 - 2026-06-17

### Added
  • Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more. (const-folding)
  • Added a nosemgrep_disabled field to the scan configuration so the platform can disable nosemgrep inline ignore comments org-wide for a scan. (APPEX-1122)
  • Semgrep now skips binary files (images, archives, compiled executables,
    etc.) during scanning by default, detected via matching file extensions
    to known file-format magic bytes Pass --no-exclude-binary-files to
    scan binary files as before. (ENGINE-2708)
### Fixed
  • semgrep ci with --sarif now correctly populates the output's ignores
    field with nosemgrep-suppressed findings, in accordance with other output
    formatters. (gh-6651)
### Infra/Release Changes
  • Updated the ocaml-tree-sitter-core submodule to the latest upstream main, providing

    • improved thread-safety
    • bumps the tree-sitter CLI option used from 0.20.6 to 0.20.8.

    (ocaml-tree-sitter-core-bump)

v1.166.0

Compare Source

1.166.0 - 2026-06-11

### Added
  • Pro: Added experimental cross-file (interfile) analysis for Gosu, enabling taint tracking across multiple Gosu source files. (gosu-interfile)
  • Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more (ENGINE-2789)
### Fixed
  • Fixed parsing of integer literals with an underscore immediately after the radix prefix (e.g. 0x_dead_beef, 0o_755, 0b_1010_1010). (LANG-533)
  • Python parsing now preserves type parameters on def and class definitions. (LANG-536)
  • Semgrep no longer stores the API token in ~/.semgrep/settings.yml's stored
    token when the current scan's token is supplied via the SEMGREP_APP_TOKEN
    envvar. (SEC-2240)
  • semgrep ci scans originating from a pre-commit hook will no longer fail with
    Unable to create '<tmp>/.git/index.lock': Not a directory in certain cases. (engine-2736)
### Infra/Release Changes
  • Added parsing tests covering Python language features (Python 3.0–3.12). (LANG-531)

v1.165.0

Compare Source

1.165.0 - 2026-06-03

### Added
  • Added --max-match-context-size option to limit the number of characters of source code included as context for each match in the output. This prevents matches in minified files (e.g., minified JavaScript where the entire file is a single line) from producing enormous output Set to 0 for unlimited, which is the default value. (ENGINE-2117)
### Changed
  • Replaced --x-no-python-schema-validation with a value-taking --x-rule-validation=full|core-only|none flag. The default (full) preserves existing Python rule validation behavior; core-only matches the old flag's semantics (disables Python rule validation and uses semgrep-core RPC validation only); none skips both pre-validation passes, surfacing rule errors at scan-time. --x-no-python-schema-validation is still accepted as a no-op with a deprecation warning, and will be removed in a future release. (x-rule-validation)
  • Python: Updated Python grammar (LANG-201)
### Fixed
  • Added bit shift operations to metavar comparison in addition to already present standard arithmetic operators and logical bit ops. (ENGINE-2448)
  • Reduce intermittent validation_error results on HTTP secret validators (Facebook, Slack, Stripe, Google, Cloudflare, etc.) by retrying transient network failures, mirroring the retry behavior already present for AWS validators. (SCRT-965)

v1.164.0

Compare Source

1.164.0 - 2026-05-26

### Added
  • Dart: typed metavariables ($X as T) and metavariable-type,
    metavariable binding inside string interpolations, and function-definition
    patterns that match Dart function definitions. (gh-11678)
### Changed
  • The default memory limit for Pro interfile scans on Linux now adapts to the container's cgroup memory limit (90% of it) instead of the previous fixed 5 GiB, with an 8 GiB fallback when no cgroup limit is detected. (ENGINE-2568)
  • Lower the glibc contraint from >=2.35 to >=2.34, allowing users on distros
    that ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)
### Fixed
  • Baseline diff scans (semgrep ci and --baseline-commit) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.

    Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison.
    Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.

    Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)

  • Fixed a yarn.lock parse error on Yarn Berry entries written
    in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)

  • The (beta) SBT resolver with --allow-local-builds now correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)

  • Fix --sarif-output and --sarif causing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)

  • Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)

  • Dart: improved parser fidelity for Dart 3 grammar features and routed
    pattern parsing for statements beginning with await, rethrow, and other
    statement keywords. Eliminates a large class of PartialParsing errors on
    real-world pub.dev packages. (gh-11678)

### Infra/Release Changes
  • pro: macOS: Fixed dynamic library lookup for semgrep-core-proprietary so the binary works when semgrep install-semgrep-pro is invoked, and semgrep is installed via Homebrew. (pro-binary-homebrew)
  • Pro: Added optional <case>.named_ast.expect golden files for tests/intrafile/maturity/ fixtures, exercised by Unit_maturity_named_asts. (LANG-287)

v1.163.0

Compare Source

1.163.0 - 2026-05-13

### Added
  • Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)
### Changed
  • Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
  • Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
  • Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
  • Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)
### Fixed
  • Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
  • Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
  • Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
  • Fixed transitive reachability rule parsing performance: the temporary rule
    file written for each transitive-reachability RPC call is JSON content
    (json.dumps([rule.raw])) but was being created with a .yaml suffix.
    OCaml's Parse_rule.parse_file dispatches purely on file extension, so this
    routed every TR rule through Yaml_to_generic.parse_yaml_file (the slow YAML
    path) instead of Fast_json.parse_program (the new hand-written RFC 8259
    parser). Switching the suffix to .json lines the suffix up with the actual
    content and lets every TR rule parse take the fast path. (tr-json-suffix)
  • Pro: Fixed a naming resolution bug in Java. (LANG-274)

v1.162.0

Compare Source

1.162.0 - 2026-05-07

### Added
  • pro: Improved support for tracking taint through nested functions. (LANG-95)
  • Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)
### Changed
  • Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
  • Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
  • MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)
### Fixed
  • jsonnet: import and importstr now reject paths that resolve outside the
    rule file's parent directory. (ENGINE-2727)
  • semgrep ci: redact URL-embedded credentials and Authorization header
    values from git error messages and from the captured tracebacks sent to
    the fail-open telemetry endpoint, preventing leaks of secrets like
    CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes
    ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
  • semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
  • semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
  • jsonnet rules: bound recursion in both rule loading and evaluation so a
    malicious rule can no longer hang semgrep via mutually-recursive imports
    or runtime function calls that recurse forever. (ENGINE-2727-dos)
  • Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
  • Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
  • Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
  • Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
  • Fixed unknown option error when spawning the MCP daemon (gh-11660)

v1.161.0

Compare Source

1.161.0 - 2026-04-22

### Added
  • Scala 3.4+ trait parameters are now parsed correctly. (lang-73)
### Fixed
  • Semgrep's HTTP requests no longer log URLs above the debug level; full request
    details remain available when running with SEMGREP_LOG_SRCS=cohttp.client. (ENGINE-2712)

v1.160.0

Compare Source

1.160.0 - 2026-04-16

### Added
  • Scala: Added tree-sitter parser for improved parsing accuracy with pfff fallback. (LANG-255)
  • pro: taint: Improved support for variadic functions (LANG-375)
### Fixed
  • Fixed performance issues during parsing Semgrep rules containing emoji or
    other non-BMP Unicode characters. (gh-6070)
  • Emit a warning when semgrep-core rule validation fails and falls back to JSON
    schema validation, alongside details of the failure. (gh-6071)

v1.159.0

Compare Source

1.159.0 - 2026-04-10

### Fixed
  • Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)

v1.158.0

Compare Source

1.158.0 - 2026-04-09

### Added
  • Added support for a supply chain hook for the Semgrep Plugin (supply-chain-hook)
  • Computing taint configs, ~1/4-1/2 of the semgrep-core time in interfile scans, is now done in parallel according to the number of jobs (ENGINE-2649)
  • Semgrep Pro interfile engine (--pro) taint analysis has been redesigned, significantly improving performance (estimated 20-40% improvement). This improvement introduces a slight change in how findings are generated, that may result in more true positives, or less false positives. To revert to previous behavior, pass --no-x-run-taint-once as a flag. (engine-2468)
### Changed
  • semgrep-core macOS binaries are now dynamically linked to the system's libraries. (macos-binary-build)
  • semgrep-core manylinux binaries are now dynamically linked to the system's glibc on glibc systems. This introduces a minimum glibc version requirement of >=2.35, which is satisfied in Ubuntu >=22.04, Debian >=12, RHEL >=10, and other glibc distributions with at least glibc 2.35. Linux systems running an older glibc will need to upgrade their OS. (manylinux-binary-build)
  • The manylinux wheel is now tagged as manylinux_2_35_, reflecting a minimum
    requirement of glibc version 2.35. (manylinux-wheel-tag)
  • semgrep-core musllinux binaries are now dynamically linked to the system's musl libc on musl systems. (musllinux-binary-build)
  • The musllinux PyPI wheel is now tagged as musllinux_1_2_, reflecting a requirement
    of musl libc version 1.2. (musllinux-wheel-tag)
  • The LSP and MCP servers now use the v2 config download endpoint by default when fetching rules from Semgrep AppSec Platform. Set SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1 to fall back to the legacy endpoint. (SMS-2284)
### Fixed
  • Fixed IDE login issues where network errors during token verification were incorrectly clearing the saved token. The LSP now distinguishes 401 Unauthorized (invalid token) from other errors (e.g. network failures), surfacing appropriate messages instead. (ide-login)
  • Fixed SARIF taint trace output: step locations now use the correct file URI, and the full taint sink call trace is included in codeFlows. (engine-2570)
  • The --x-mem-policy flag now propagates to the RPC subprocess, fixing memory tuning for dependency resolution and other RPC-based operations. (pylon-20772)

v1.157.0

Compare Source

1.157.0 - 2026-03-31

### Added
  • pro: Improved taint tracking through lambda calls. (LANG-268)
  • It is now possible to match a class name like in $C.getInstance(...), and then
    use metavariable-type on $C to check its type. (LANG-271)
  • pro: Improve cross-file taint tracking for globals. (LANG-275)
### Changed
  • Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
  • pro: Improved golang module resolution. (code-9225)
  • Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)
### Fixed
  • Fix Rust parsing of "&raw" where "raw" is an identifier. (rust-parser-updated)
  • Errors during target file discovery (e.g., permission errors, git failures) are now surfaced as warnings instead of being silently ignored. (ENGINE-2627)
  • kotlin: Fixed bug parsing FQNs in metavariable-type. (LANG-271)
  • Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names. (SC-3379)
  • Prevented certain deeply nested aliengrep matches from segfaulting semgrep-core. (engine-2628)
  • Fix Python parsing for files that contains empty strings (or quotes in docstrings) along with match statements. (gh-11287)
  • Fix rule paths.include/paths.exclude filtering when a single file is passed as a scan target. Previously, path patterns like '/src/test//*.java' would not match because only the filename was used for filtering instead of the full project-relative path. (gh-11560)
  • Pro: Improved type resolution in Scala (lang-79)
  • Pro: Improved call resolution in Scala for parameterless methods (lang-80)

v1.156.0

Compare Source

1.156.0 - 2026-03-17

### Changed
  • The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)
### Fixed
  • Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
  • Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
  • Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

v1.155.0

Compare Source

1.155.0 - 2026-03-11

### Added
  • Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
  • scala: Improved support for Scala 3's optional braces. (LANG-218)
  • Added PowerShell language support (beta) with parsing and pattern matching (lang-233)
### Changed
  • Removed the experimental and undocumented command semgrep install-ci. (osemgrep-install-ci)

  • Migrate from publishing a single Linux wheel with the platform tag musllinux_1_0_<arch>.manylinux2014_<arch> to publishing two separate wheels:

    • A wheel with the platform tag musllinux_1_0_
    • A wheel with the platform tag manylinux2014_

    (pypi-linux-tag)

### Fixed
  • When performing parallel operations over a small number of input items, the
    engine no longer spawns more OCaml domains than we have items to process. This
    assists with resource utilisation. (engine-2588)
  • Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
  • Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the --secrets-timeout flag. (engine-2593)
  • Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)

v1.154.0

Compare Source

1.154.0 - 2026-03-04

### Fixed
  • Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
  • Changed default memory policy from "eager" to "balanced". Scan times should
    noticably improve; however, scans may use 5-10% additional memory. If running
    in a resource-constrained environment, consider setting the memory policy back
    to "aggressive". (engine-2055)
  • When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k files). Semgrep will now parallelize this work according to the number of jobs passed (-j) (engine-2512)
  • Fixed a performance issues where passing many scannign roots on the command
    line (e.g. semgrep scan $(git ls-files '*.py')) caused one semgrep-core
    subprocess to be spawned per file. Roots that are not directories are now
    handled directly in Python without any subprocess overhead. (gh-11404)
  • Scala: Restored parse rate after mistaken bug introduced by implicit block parsing fix (lang-215)

v1.153.0

Compare Source

1.153.0 - 2026-02-25

### Added
  • Semgrep core is now optimized with flambda (flambda)
  • Scala: Support for for-yield (LANG-193)
### Fixed
  • Scala: Fixed a parsing bug where subsequent calls in an implicit block would not
    be considered at the same scope, e.g.
    def f (a: t) =
      foo()
      bar()
    ``` (lang-194)
    

v1.152.0

Compare Source

1.152.0 - 2026-02-17

### Added
  • Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

  • Turned on DNS rebinding protection for the MCP server (dns-check)

  • Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

  • Memory management policies

    A memory policy defines how OCaml's garbage collector should be configured for
    a scan. There are two initial policies: "aggressive", the current behaviour,
    which trades longer scan times for lower memory use, and "balanced", which
    finds a middle ground between reclaiming heap memory in short order while
    limiting how often the garbage collector runs. The policy can be configured
    via the --x-mem-policy CLI flag for the pro engine; this flag is unused in
    the OSS engine. (engine-2055)

  • Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

  • Allows case insensitive string comparisons using lower() and upper() like this:

    - metavariable-comparison:
        metavariable: $VALUE
        comparison: upper(str($VALUE)) == "SEMGREP"
    

    (gh-11502)

  • Blocking findings that are outputted in the CI output are now labelled as such. (#​4394)

### Changed
  • pro: There should be fewer FNs when the max number of fields to track per object
    is reached. (code-9224)
  • Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)
### Fixed
  • pro: Improved accuracy of taint tracking through assignments, this will help
    reduce FPs in some cases. (code-9220)
  • When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
    longer period of time before retrying the request, to spread out requests
    during periods of app instability. (engine-2550)

v1.151.0

Compare Source

1.151.0 - 2026-02-04

Added
  • Added progress indicators for symbol analysis calculation and upload during CI scans (sc-3103)
Fixed
  • bumped glom to at least version 23.3, which includes a fix to a SyntaxWarning
    warning log. (gh-11460)
  • Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't (loglines)
  • Fixed the README not appearing in built wheels. (wheelreadme)

v1.150.0

Compare Source

1.150.0 - 2026-01-29

Added
  • Connecting to the Semgrep MCP server via streamableHttp now requires OAuth. (saf-2453)
Changed
  • Migrated from pipenv to uv for ./cli package management (uv)
Fixed
  • pro: Improved virtual method resolution in Scala (code-9213)
  • Improved performance for supply chain scans by reducing pre-computation when printing the scan status. This results in slightly less information being displayed in the case that there are no rules to run. (gh-5436)
  • Supply Chain Analysis: fixed version range matching for NPM packages with versions containing a prerelease identifier such as -alpha in 1.2.3-alpha. (sc-3001)

v1.149.0

Compare Source

1.149.0 - 2026-01-21

Added
  • Added a warning in --debug mode when a user runs a parallel scan with a larger
    value for -j/--jobs than the number of CPUs we detect the host has made
    available to Semgrep. Additionally, a suggested starting value for -j/--jobs
    is reported to give the user a place to start tuning their scan. (saf-2474)
  • Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)
Changed
  • The MCP server no longer supports SSE transport. (saf-2462)
Fixed
  • pro: Improved virtual method resolution in Java (code-9210)
  • pro: Improved virtual method resolution in Scala (code-9212)
  • Improve performance of scan planning, a part of the Python CLI, by reducing
    the cost of re-hashing Target objects. Performance should improve on
    large repo scans proportionally to the number of files in the repo. (gh-5407)
  • semgrep ci no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)

v1.148.0

Compare Source

1.148.0 - 2026-01-14

Added
  • Performance: subproject discovery in Supply Chain scans is no longer
    significantly slowed down by the presence of Git-untracked files
    resulting in faster diff scans in such cases. (sc-subproject-speedup)
Fixed
  • pro: Improved virtual method resolution in Java (code-9174)
  • pro: Improved handling of parse errors during inter-file analysis. Now, these
    errors should be adequately reported back to users and in the JSON output. (code-9216)
  • Dataflow now accounts for Python for/else and while/else loops. (gh-8405)
  • Fix rare "bad file descriptor" when performing Git operations on Windows (saf-2358)

v1.147.0

Compare Source

1.147.0 - 2026-01-07

Added
  • Gradle lockfiles of the form gradle*.lockfile are now supported. Previously, only lockfiles named exactly gradle.lockfile were supported. (SC-2999)
  • semgrep login now supports a --force flag, which ignores existing tokens and starts a new login session. The MCP setup workflow has been updated to use --force too. (saf-2392)
Fixed
  • Deduplication should now pick the exact same findings across scans. Previously,
    findings were always equivalent, but not guaranteed to be exactly the same
    (e.g. metavariable bindings could differ). Depending on the rule and target code,
    this could cause findings' fingerprints to change from one scan to another, thus
    leading to finding flakiness and "cycling" in Semgrep App. Note that when
    upgrading to this Semgrep version, you may see different (but equivalent) findings
    wrt your current Semgrep version in the first scan, one more time. However, in
    subsequent scans/upgrades, this problem should go away or at least be greatly
    reduced. (saf-2304)

v1.146.0

Compare Source

1.146.0 - 2025-12-17

Added
  • Added support for Cursor post-code-generation hooks via new record-file-edit and stop-cli-scan semgrep mcp flags (cursor-hooks)
  • Added skipped_paths field to CI scan results to report files that failed to scan due to errors (timeout, OOM, etc.), preventing the app from incorrectly marking findings in those files as fixed (gh-5122)
  • Symbol analysis, if enabled, now runs for Supply Chain only scans when calling semgrep ci. (sc-2927)
Changed
  • Semgrep's Docker image base has been bumped from Alpine Linux 3.22 to 3.23 (docker-version)
  • bumped the mcp python-sdk from 1.16.0 to 1.23.3 (mcp-version)
  • pro: [experimental] enabling and disabling transitive reachability
    analysis in semgrep ci regardless of app settings is now possible with
    --x-enable-transitive-reachability (or --x-tr)
    and --x-disable-transitive-reachability. (tr-flags)
Fixed
  • The PHP AST now distinguishes between if statements with no else clause and those with an explicit but empty else {}. (gh-11330)
  • git-lfs objects are now excluded from baseline scans, as they are usually binary files, or simply too large to scan. (saf-2020)
  • Fix a OCaml stdlib bug that would cause nondeterministic UnixErrors on Windows under the multicore runtime due to a race condition in the socketpair implementation (saf-2316)
  • Fixed an issue that in rare cases could lead timeouts to be mishandled. This typically manifested only through slightly different warning messages, but it is possible that more serious consequences could have occasionally resulted. (saf-2368)
  • Fixed symbol analysis incorrectly analyzing all files instead of only the relevant language files per ecosystem. (sc-3020)

v1.145.0

Compare Source

1.145.0 - 2025-12-04

Added
  • Added optional user-prompting for classifying findings as true/false positives via MCP Elicitation in the MCP server (behind SEMGREP_FINDINGS_ELICITATION_ENABLED, off by default). (elicitation)
  • Added hook to inject secure-by-default library recommendations into Claude Code Agent context. (secure-defaults-hook)
Changed
  • Symbol analysis upload now runs before scan completion to ensure it is available during initial scan postprocessing. (sc-2933)
Fixed
  • Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
  • The correct range for let ... in expressions in OCaml is now reported. Previously, the location of the let was omitted. This is mainly relevant for autofix. (ocaml-let)
  • Debug log lines concerning telemetry collection that are only relevant inside
    Semgrep's managed scanning environment are not emitted if a scan runs outside
    that environment. (saf-2321)
  • pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

v1.144.0

Compare Source

1.144.0 - 2025-11-19

Fixed
  • pro: interfile scans no longer default to -j 1; instead, the number of
    available CPUs on the system is polled as part of a heuristic to determine how
    many threads should be spawned. (gh-4952)
  • Semgrep will no longer rarely crash when --trace is passed. (incid-280)

v1.143.0

Compare Source

1.143.0 - 2025-11-12

Added
  • Dataflow will now understand empty block expressions as having unit value in
    more instances. (code-9141)
  • Parallel scans will now use shared-memory parallelism using multicore OCaml
    domains, rather than the legacy fork-join approach. Users can opt into the
    legacy method with the --x-parmap CLI flag, and this deprecates the --x-eio
    flag (since it is now the default behaviour). (saf-2271)
  • Add -k/ --hook flag to enable Semgrep scans via Claude Code Agent post-tool hooks (saf-2279)
Fixed
  • When running semgrep scan or semgrep ci, the progress bar now always ends at 100%. (SAF-2079)
  • Pro: fixed various bugs relating to Scala match expression handling in dataflow
    analysis (e.g., some branches being misordered, especially when matching
    multiple variables against non-integer literal patterns). (code-9144)
  • Semgrep will now emit better error messages when exceptions are raised at the beginning or end of scan (exit-message)
  • Enabled taint tracking into Goroutines, by treating them as regular Go function calls. (gh-11207)
  • Fixed missing Rust type alias translation. We can now
    accurately match the () type in a type declaration. (gh-11283)
  • fixed MCP semgrep_findings tool to accept single issue_type parameter and corrected identity string role parsing (saf-2282)

v1.142.0

Compare Source

1.142.0 - 2025-10-30

Added
  • Pro: improved taint handling of match expressions in Scala. In examples like
    val x = taint match {
        case Some(t) => t
        case None => return "example"
    }
    dataflow should now track taint from taint to x. (code-9085)
  • pro: scala: http4s-specific support for case $M -> ... :? ... +& test +& ... => ... patterns. (code-9131)
Fixed
  • Supply Chain subproject resolution table is now shown even when no subprojects were successfully resolved (SC-2492)
  • UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies will be ignored. (SC-2888)
  • Failures in parsing UV lockfiles are now correctly reported as "Failed" rather than "Unsupported" (SC-2895)
  • build.gradle.kts files now resolve correctly when --allow-local-builds is passed. (SC-2899)
  • Rule parsing in 1.139.0 was switched to happen solely in semgrep-core. This caused some users to exit with code 7, so this change has been reverted. (saf-2265)

v1.141.0

Compare Source

1.141.0 - 2025-10-23

Added
  • pro: scala: http4s-specific support for $M -> ... / $X / ... patterns (code-9114)
Fixed
  • Improved detection of implicitly returned expressions.
    Functions in some languages, such as Ruby and Scala, can return a value without an explicit return statement.
    More expressions, such as string interpolation, are now correctly identified as implicitly returned. (code-9101)
  • Scala: Parser now accepts an $MVAR as a pattern alias (@), so
    e.g. case $X @&#8203; ... => ... is now a valid pattern. (code-9130)
  • fixed an issue where CamlinternalLazy.Undefined would occur while using eio multicore (saf-1877)

v1.140.0

Compare Source

1.140.0 - 2025-10-16

Added
  • scala: Allow partial case patterns such as case 1 => ... to easily match
    individual case clauses within a match-expression. (code-9118)
  • Added python 3.14 support. (gh-11250)
  • MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)
Changed
  • Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)
Fixed
  • Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
  • Display an error instead of a malformed success message
    when the show subcommand fails due to an invalid CLI token. (grow-630)
  • new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
  • Fixed an issue where temporary files, containing rules to be validated,
    persisted after a semgrep scan. (saf-2257)
  • MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
  • MCP: Fixed a bug where resource closure errors would occur when trying to use
    the MCP with the streamable-http tranport method. (saf-2264)

v1.139.0

Compare Source

1.139.0 - 2025-09-30

Added
  • --pro-intrafile scans will now add built-in taint propagators, like --pro does,
    hence producing extra findings. For example, in Java, list.add(taint) will now
    make list tainted even if the rule does not explicitly request that. Scan times
    should not be generally affected in a significant way. (code-9103)
  • Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
  • Associate Containerfiles with the dockerfile language (gh-11091)
Changed
  • Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#​4346, #​4269, #​4379) (gh-4379)
  • MCP: Removed the config parameter from the semgrep_scan tools, to prevent
    agents from inserting unwanted config files to scan with. (saf-2258)
Fixed
  • scala: Fixed matching of { case ... => ... } patterns. (code-9111)
  • Fixed a bug preventing metavariable-comparisons with more than two subsequent "and" or "or" conditions from producing findings. For example, the condition $X > 1 or $Y > 1 or $Z > 1 would previously always evaluate to false. Now, it will behave as expected. (gh-11209)
  • MCP: Fixed an issue where the semgrep_scan tool, when invoking the RPC-based
    scanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
  • MCP: The semgrep_findings tool now gives a suitable error message when erring due
    to insufficient permissions on standard semgrep login tokens. (saf-2254)
  • MCP: Fixed a bug where if the user is already logged in when running the setup flow,
    the Semgrep Pro Engine installation step would be ignored. (saf-2259)

v1.138.0

Compare Source

1.138.0 - 2025-09-25

Added
  • pro: scala: Method dispatching through traits (code-9092)
Changed
  • Pro: additionally improved prefiltering for taint rules, especially when using
    taint labels. This allows for the generation of more specific conditions than
    the previously released version (v1.133.0). (code-9097)
Fixed
  • pro: python: Fix resolution of implicit namespace modules (code-9008)
  • We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs
    passed to -f/-c/--config during config/rules fetching. (gh-11016)
  • Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...}
    no longer fails to parse. (saf-2159)
  • pro: improved performance of tsconfig.json matching for Typescript projects
    that contain multiple tsconfig.jsons. (saf-2163)
  • Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

1.137.0 - 2025-09-17

Added
  • pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
  • Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
    used to live at https://github.com/semgrep/mcp. That repository will be deprecated
    as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)
Changed
  • Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)
Fixed
  • Fix incorrect interpretation of \# and \ in glob patterns found in
    Semgrepignore and included Gitignore files. (fix-glob-escape)
  • Removed pkg_resources is deprecated warning by bumping opentelemetry-*
    packages (gh-11069)
  • Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

1.136.0 - 2025-09-09

No significant changes.

v1.135.0

Compare Source

1.135.0 - 2025-09-03

No significant changes.

v1.134.0

Compare Source

1.134.0 - 2025-08-27

Added
  • pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

v1.133.0

Compare Source

1.133.0 - 2025-08-22

Added
  • Pro: improved prefiltering for interfile rules. This allows the engine to skip
    interfile rules earlier in the process when we determine they cannot match in a
    given scan, which should improve performance. (code-8524)
  • Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)
Fixed
  • Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
  • We now substitute metavariables for their values in a deterministic order to
    ensure keys for match-based IDs are stable. (gh-4459)
  • Fixed incorrect YAML parsing of strings like nan as well as some more
    obscure cases that were interpreted as a float instead of a string. This
    might affect any area of Semgrep that deals with YAML files containing
    the string nan. (yaml-float-parsing)

v1.132.0

Compare Source

1.132.0 - 2025-08-14

Added
  • PHP: When enabling option taint_assume_safe_booleans the return values of
    boolval, is_bool, and || will be considered safe.
    When enabling taint_assume_safe_numbers the return values of intval,
    floatval, +, -, *, / and % will also be considered safe. (php)
  • When performing secrets validation, the amount of time that the HTTP request
    took to complete will now be visible in the debug logs. (#​2130)
  • Introduces a timeout to internal HTTP requests, to prevent remote endpoints
    from indefinitely hanging the engine. (#​4295)
Changed
  • Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)
Fixed
  • Language server: Made it so that errors which occur no longer pop up in while using the
    IDE. They still log, but will no longer be displayed via UX. (saf-2193)
  • When validating the results of a secrets scan, do not have more than 256
    outstanding validators executing at a given time. (#​2130)

v1.131.0

Compare Source

1.131.0 - 2025-07-30

Fixed
  • Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a PR. (better-merge-base)
  • Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
  • When processing a target with debug logging enabled, we now only log the target
    path rather than the entire internal structure representation. This allows for
    more succinct log files and no longer introduces mid-entry newlines, which can
    break log-parsing tooling. (gh-4315)
  • Language server: Fixed a bug which broke the Sign in command (saf-2151)
  • CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
  • Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)

v1.130.0

Compare Source

1.130.0 - 2025-07-23

Fixed
  • Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)

Also includes changes from the canceled 1.129.0 release

Added
  • A warning is now printed for each exclude or include pattern found in rules
    that is considered ambiguous (paths.exclude, paths.include).

    Currently, a pattern that contains a middle slash such as src/*.c
    is considered floating or unanchored by our implementation. In order to
    be compliant with Gitignore and Semgrepignore, src/*.c
    should be treated as anchored. Since many programmers are unaware of this
    subtlety in the Gitignore specification, Semgrep now prints a warning asking
    the user to lift the ambiguity. A user will now be asked to
    change their pattern src/*.c into either /src/*.c (anchored) or
    **/src/*.c (floating). This clarifies the expected behavior for readers
    of Semgrep rules and will avoid problems when Semgrep rules adopt
    the Gitignore/Semgrepignore behavior. (rule-paths-middle-slash-patterns)

  • Secrets: Validation for AWS credentials which failed due to possibly transient
    reasons is now retried (3 attempts max). (scrt-917)

Fixed
  • When running semgrep scan in a docker container without an argument
    and no target project was mounted under /src,
    instead of a silent exit with code 2, a helpful error message is
    now printed before exiting. (docker-mount-error)
  • In-rule path filters (paths.exclude, paths.include) now apply to
    normalized file paths relative to the project root. This makes rule selection
    independent from the current work folder.
    Patterns with a leading slash such as /src are now anchored instead
    of being floating. For example, exclude: [ "/src" ] will exclude the target
    file src/main.c but no longer excludes misc/src/main.c. (rule-paths-leading-slash-patterns)
  • Fixed a bug where a Unix.Unix_error would occasionally crash the experimental language server
    on startup. (saf-2133)
  • CLI: Only log a sample of the response from the get_targets endpoint.
    Previously, scanning large repos with the debug flag significantly ballooned
    the size of the output log. (saf-2145)

v1.128.0

Compare Source

[1.128.0](

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@alma-renovate-bot
alma-renovate-bot Bot requested a review from a team June 7, 2025 00:09
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from a8a37f1 to 11dea91 Compare June 12, 2025 04:08
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.124.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.125.0 Jun 12, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 11dea91 to ba1915d Compare June 18, 2025 20:07
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.125.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.126.0 Jun 18, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from ba1915d to 82722c1 Compare June 24, 2025 20:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.126.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.127.0 Jun 24, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 82722c1 to 75800c1 Compare July 4, 2025 00:05
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.127.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.128.0 Jul 4, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 75800c1 to edde821 Compare August 10, 2025 00:09
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.128.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.131.0 Aug 10, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from edde821 to 712caf0 Compare August 15, 2025 00:08
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.131.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.132.0 Aug 15, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 712caf0 to 1ede29d Compare August 22, 2025 20:05
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.132.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.133.0 Aug 22, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 1ede29d to 0cc31bf Compare August 28, 2025 09:11
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.133.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.134.0 Aug 28, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 0cc31bf to 2d8200f Compare September 4, 2025 00:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.134.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.135.0 Sep 4, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 2d8200f to 064c66c Compare September 10, 2025 00:05
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.135.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.136.0 Sep 10, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 064c66c to fe6760b Compare September 19, 2025 00:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.136.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.137.0 Sep 19, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from fe6760b to f756173 Compare September 25, 2025 16:05
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.137.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.138.0 Sep 25, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from f756173 to edb1108 Compare October 1, 2025 04:05
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.138.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.139.0 Oct 1, 2025
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from edb1108 to 139883e Compare October 20, 2025 00:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.139.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.140.0 Oct 20, 2025
@sonarqubecloud

Copy link
Copy Markdown

@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 365b6bb to a13fef8 Compare January 11, 2026 00:10
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.146.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.147.0 Jan 11, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from a13fef8 to 6530753 Compare January 18, 2026 04:12
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.147.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.148.0 Jan 18, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 6530753 to d91355f Compare January 25, 2026 00:11
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.148.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.149.0 Jan 25, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from d91355f to d003098 Compare February 2, 2026 00:10
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.149.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.150.0 Feb 2, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from d003098 to c36e032 Compare February 7, 2026 20:12
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.150.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.151.0 Feb 7, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from c36e032 to 86b7ef4 Compare February 21, 2026 04:07
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.151.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.152.0 Feb 21, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 86b7ef4 to 04e2df4 Compare March 1, 2026 00:12
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.152.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.153.0 Mar 1, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 04e2df4 to f375765 Compare March 7, 2026 20:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.153.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.154.0 Mar 7, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from f375765 to 9c5f3b4 Compare March 15, 2026 00:07
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.154.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.155.0 Mar 15, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 9c5f3b4 to ddc3c9b Compare April 13, 2026 12:04
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.155.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.158.0 Apr 13, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from ddc3c9b to 996b024 Compare April 14, 2026 00:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.158.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.159.0 Apr 14, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 996b024 to be1f350 Compare April 19, 2026 20:10
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.159.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.160.0 Apr 19, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from be1f350 to 4ac8e86 Compare April 26, 2026 00:06
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.160.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.161.0 Apr 26, 2026
@alma-renovate-bot
alma-renovate-bot Bot force-pushed the renovate/tools-and-pre-commit branch from 4ac8e86 to 796c3ab Compare May 10, 2026 16:08
@alma-renovate-bot alma-renovate-bot Bot changed the title chore(deps): update pre-commit hook returntocorp/semgrep to v1.161.0 chore(deps): update pre-commit hook returntocorp/semgrep to v1.162.0 May 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants