chore(deps): update pre-commit hook returntocorp/semgrep to v1.138.0

[alma-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
returntocorp/semgrep	repository	minor	v1.103.0 -> v1.138.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

returntocorp/semgrep (returntocorp/semgrep)

v1.138.0

Compare Source

1.138.0 - 2025-09-25

Added

• pro: scala: Method dispatching through traits (code-9092)

Changed

• Pro: additionally improved prefiltering for taint rules, especially when using
  taint labels. This allows for the generation of more specific conditions than
  the previously released version (v1.133.0). (code-9097)

Fixed

• pro: python: Fix resolution of implicit namespace modules (code-9008)
• We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs
  passed to -f/-c/--config during config/rules fetching. (gh-11016)
• Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...}
  no longer fails to parse. (saf-2159)
• pro: improved performance of tsconfig.json matching for Typescript projects
  that contain multiple tsconfig.jsons. (saf-2163)
• Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

1.137.0 - 2025-09-17

Added

• pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
• Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
  used to live at https://github.com/semgrep/mcp. That repository will be deprecated
  as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)

Changed

• Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)

Fixed

• Fix incorrect interpretation of \# and \ in glob patterns found in
  Semgrepignore and included Gitignore files. (fix-glob-escape)
• Removed pkg_resources is deprecated warning by bumping opentelemetry-*
  packages (gh-11069)
• Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

1.136.0 - 2025-09-09

No significant changes.

v1.135.0

Compare Source

1.135.0 - 2025-09-03

No significant changes.

v1.134.0

Compare Source

1.134.0 - 2025-08-27

Added

• pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

v1.133.0

Compare Source

1.133.0 - 2025-08-22

Added

• Pro: improved prefiltering for interfile rules. This allows the engine to skip
  interfile rules earlier in the process when we determine they cannot match in a
  given scan, which should improve performance. (code-8524)
• Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)

Fixed

• Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
• We now substitute metavariables for their values in a deterministic order to
  ensure keys for match-based IDs are stable. (gh-4459)
• Fixed incorrect YAML parsing of strings like nan as well as some more
  obscure cases that were interpreted as a float instead of a string. This
  might affect any area of Semgrep that deals with YAML files containing
  the string nan. (yaml-float-parsing)

v1.132.0

Compare Source

1.132.0 - 2025-08-14

Added

• PHP: When enabling option taint_assume_safe_booleans the return values of
  boolval, is_bool, and || will be considered safe.
  When enabling taint_assume_safe_numbers the return values of intval,
  floatval, +, -, *, / and % will also be considered safe. (php)
• When performing secrets validation, the amount of time that the HTTP request
  took to complete will now be visible in the debug logs. (#​2130)
• Introduces a timeout to internal HTTP requests, to prevent remote endpoints
  from indefinitely hanging the engine. (#​4295)

Changed

• Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)

Fixed

• Language server: Made it so that errors which occur no longer pop up in while using the
  IDE. They still log, but will no longer be displayed via UX. (saf-2193)
• When validating the results of a secrets scan, do not have more than 256
  outstanding validators executing at a given time. (#​2130)

v1.131.0

Compare Source

1.131.0 - 2025-07-30

Fixed

• Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a PR. (better-merge-base)
• Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
• When processing a target with debug logging enabled, we now only log the target
  path rather than the entire internal structure representation. This allows for
  more succinct log files and no longer introduces mid-entry newlines, which can
  break log-parsing tooling. (gh-4315)
• Language server: Fixed a bug which broke the Sign in command (saf-2151)
• CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
• Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)

v1.130.0

Compare Source

1.130.0 - 2025-07-23

Fixed

• Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)

Also includes changes from the canceled 1.129.0 release

Added

• A warning is now printed for each exclude or include pattern found in rules
  that is considered ambiguous (paths.exclude, paths.include).

  Currently, a pattern that contains a middle slash such as src/*.c
  is considered floating or unanchored by our implementation. In order to
  be compliant with Gitignore and Semgrepignore, src/*.c
  should be treated as anchored. Since many programmers are unaware of this
  subtlety in the Gitignore specification, Semgrep now prints a warning asking
  the user to lift the ambiguity. A user will now be asked to
  change their pattern src/*.c into either /src/*.c (anchored) or
  **/src/*.c (floating). This clarifies the expected behavior for readers
  of Semgrep rules and will avoid problems when Semgrep rules adopt
  the Gitignore/Semgrepignore behavior. (rule-paths-middle-slash-patterns)

• Secrets: Validation for AWS credentials which failed due to possibly transient
  reasons is now retried (3 attempts max). (scrt-917)

Fixed

• When running semgrep scan in a docker container without an argument
  and no target project was mounted under /src,
  instead of a silent exit with code 2, a helpful error message is
  now printed before exiting. (docker-mount-error)
• In-rule path filters (paths.exclude, paths.include) now apply to
  normalized file paths relative to the project root. This makes rule selection
  independent from the current work folder.
  Patterns with a leading slash such as /src are now anchored instead
  of being floating. For example, exclude: [ "/src" ] will exclude the target
  file src/main.c but no longer excludes misc/src/main.c. (rule-paths-leading-slash-patterns)
• Fixed a bug where a Unix.Unix_error would occasionally crash the experimental language server
  on startup. (saf-2133)
• CLI: Only log a sample of the response from the get_targets endpoint.
  Previously, scanning large repos with the debug flag significantly ballooned
  the size of the output log. (saf-2145)

v1.128.0

Compare Source

1.128.0 - 2025-07-03

Added

• HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)

Fixed

• Java: Deprecated class $A partial class pattern, in favor of

  class $A { ... }
  ``` (safe-2104)
  

v1.127.0

Compare Source

1.127.0 - 2025-06-24

Fixed

• pro: typescript: Prevent stack overflows and out-of-memory issues when reading
  TS configs. (code-8678)

v1.126.0

Compare Source

1.126.0 - 2025-06-18

Fixed

• Missing version constraints in yarn.lock descriptors no longer raise parsing errors (sc-2293)

v1.125.0

Compare Source

1.125.0 - 2025-06-11

Added

• Dependency resolution errors that result from local builds are now reported in the scan log by default. (SC-2442)
• Adds reporting of SSC subproject dependency resolution to the output when using --json. (SC-2458)
• Semgrep's JSON output now will always include some basic profiling data (WIP). (code-8529)
• C# Dependency Parsing can now handle dependencies with "Project" & "CentralTransitive" transitivities. (sc-2376)

Fixed

• Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)
• Added support for npm aliasing in package-lock.json, fixing a bug where packages would rarely be misidentified. (SC-2387)
• Fixed scenario where case statements with ellipsis did not match patterns correctly. (gh-10086)
• Nosemgrep ignore comments no longer require exactly one space before, allowing for more commenting styles. (gh-11041)
• Fixed bug where Javascript autofix breaks syntax for if statements by consuming parentheses. (gh-9522)
• Fix: the Semgrep findings returned by the Semgrep language server (LSP)
  are now sorted correctly based on their location within files.
  This benefits all the Semgrep IDE extensions (VSCode, IntelliJ). (ide-findings-order)
• fixed an issue where semgrep ci logs in GitLab would return an incorrect URL
  with the wrong &ref=... argument. (saf-959)

v1.124.0

Compare Source

1.124.0 - 2025-06-04

Added

• Parallelizes rule validation to improve performance when scanning with many rule files. (SAF-2061)
• Semgrep should now respect ALL_PROXY, HTTP_PROXY, HTTPS_PROXY,
  NO_PROXY, PROXY_USERNAME and PROXY_PASSWORD for all networking (including
  that done via the OCaml components). Moreover, the environment variable
  OCAML_EXTRA_CA_CERTS should now allow additional CA certs to be used for
  network operations done by OCaml components. (code-8157)

Fixed

• Stop attempting to parse build.gradle.kts files as build.gradle. (SC-2209)
• Taint rules using the experimental feature labels, and specifying sinks
  with a requires: of the form not A, could produce findings with an empty
  list of traces, potentially causing a crash. We now recognize the issue and
  prevent the crash from happening. (code-8531)
• Fixed inconsistency where the empty Python fstring f"" was not matched by the pattern "...". (gh-10047)
• Fixed bug where dev depenencies (and their dependencies, and so on) were incorrectly marked as "transitivity: unknown" when parsing package-lock.json projects, specifically v3 lockfiles. (gh-4003)
• Fixed scenario where a multiplication expression of ints was not considered an int. This will help with metavariable-type. Concretely, "2 * groups" was not considered an int, where groups is an int. Additionally adds type inference for mod, floor division, and pow. (gh-9855)
• pro: python: Fixed a regression that could (in rare cases) cause naming to take a
  disproportionate amount of time significantly slowing down scans. (saf-1978)

v1.123.0

Compare Source

1.123.0 - 2025-05-28

Fixed

• Fixed bug where supply chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable. (SC-2088)
• Fixed documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in. (gh-11028)

v1.122.0

Compare Source

1.122.0 - 2025-05-14

Added

• Adds support for the UV package manager in Supply Chain scans. (SC-1900)

Fixed

• pro: Fixed inter-file naming bug affecting Go's struct-methods that could result
  in false negatives.

  Previously, adding a pattern-inside like

  func ($THING $TYPE) $FUNC(...) $R { ... }
  

  to a taint rule could cause some findings to incorrectly stop being reported. (code-7767)

• PRO: Fixed the issue with type matching when a type has a type parameter, e.g., matching the pattern std::vector<$T> with the code std::vector<int> v in C++. (code-8443)

• Make Nuget dependency child parsing case insensitive (sc-2355)

• Fixed bug where direct dev depenencies were not marked as direct when parsing package-lock.json projects. (sc-dev)

v1.121.0

Compare Source

1.121.0 - 2025-05-06

Added

• pro: Improved handling of tsconfig.json in instances where multiple
  typescript "projects" (i.e., separately rooted source directories with their
  own configurations not joined by a single tsconfig.json with project
  references) are being scanned as one project under semgrep. This should result
  in better name/module resolution in TypeScript. (code-7798)
• pro: Improved handling of include, exclude and files properties in
  tsconfig.json. Projects which use more than one tsconfig in a given directory
  which apply to different sets of files under that directory should see
  improvements in name/module resolution. (code-7798-a)
• Improved Supply Chain scan output and logging. (sc-2356)

Changed

• Upgrade the Julia parser to the tree-sitter-julia 0.22.0 (gh-10820)

Fixed

• Fix bug introduced in Semgrep 1.120.0 causing interfile analyses to run out of memory due to too many parallel jobs. The default setting had been accidentally set to the number of available CPUs which is often too much in interfile mode. It's now back to -j1 and it can be overridden by the user. (interfile-num-jobs)
• Fixed CI output so it shows per-product links depending on what product is enabled in a scan. (pr-3776)
• CLI: Fixed a bug where --disable-nosem was not properly causing nosemgrep'd findings
  to be uploaded to the App. (saf-1982)
• Exempt large manifests & lockfiles from being ignored by semgrep's file size filtering.
  This fixes a regression introduced in 1.117.0 (sca-1705). (sc-1705)

v1.120.0

Compare Source

1.120.0 - 2025-04-22

Added

• Added a few new entries in the .semgrepignore default file
  (e.g., _cargo, _opam, .svn) (semgrepignore)
• Add an experimental option --x-semgrepignore-filename to change the name of .semgrepignore files to something else. This can be used to scan a subproject in a separate semgrep invocation as the rest of the containing project. (semgrepignore-filename)

Fixed

• Fixed bug in pro package-lock.json parsing where dependencies with no specified version would cause an exception (SC-2150)
• Fixed the default -j setting so as to take into account the cgroup
  CPU quota on Linux. This will affect Docker and other containerized
  environments that share resources on the same host. Use the new command
  semgrep show resources --experimental to show the default setting. (saf-1950)

v1.119.0

Compare Source

1.119.0 - 2025-04-16

Added

• python: Semgrep will now perform dataflow analysis within and through comprehensions. (saf-1560)
• A new subcommand semgrep show project-root is now provided to display
  the project root path associated with a scan root. This is useful for
  troubleshooting Semgrepignore (v2) issues. (saf-1936)

Fixed

• tainting: Apply taint_assume_safe_numbers and taint_assume_safe_booleans
  earlier when considering to track taint through class fields and function
  parameters. If the field/parameter has a number/Boolean type and the
  corresponding option is set, it will just not be tracked. In some cases this
  can help with performance.

  Also added short/Short to the list of integer types recognized by
  taint_assume_safe_numbers. (code-8345)

• IDE: The Semgrep VS Code Extension will no longer hang on Getting code actions from Semgrep...
  on saving a file, when updating rules. (saf-1954)

v1.118.0

Compare Source

1.118.0 - 2025-04-09

Fixed

• Pro: Failure to parse a package.json file when analysing JavaScript or
  TypeScript is no longer a fatal error. (code-8227)

• taint-mode: Fixed bug in taint "auto-cleaning" where we automatically clean the
  LHS of an assigmnet if the RHS is clean, provided that the LHS is not subject to
  any "side-effects". In some cases, this could cause the taint analysis to timeout.
  Some combinations of rules and repos will see a major perf improvement, in other
  cases it may not be noticeable. (code-8288)

• In a Semgrep rule's metadata section, two fields may provide URLs:

  • source: populated dynamically by the Semgrep registry serving the rule, it's a URL that
    offers information about the rule.
  • source-rule-url: optional string, a URL for the source of inspiration for the rule.

  The SARIF format supports only one URL under the field helpUri.
  Previously, Semgrep populated the SARIF helpUri field only with metadata.source.
  This fix is to use metadata.source if available, otherwise falling back to metadata.source-rule-url.

  Contributed by @​candrews. (gh-10891)

v1.117.0

Compare Source

1.117.0 - 2025-04-02

Added

• Add temporary backward compatibility in Semgrepignore v2 for patterns
  that start with ./. For example, the pattern ./*.py should be written as
  /*.py to have the desired effect of excluding the .py files
  located in the same directory as the .semgrepignore file containing
  the pattern.
  To minimize surprises for users switching to Semgrepignore v2,
  we'll be interpreting automatically ./*.py as /*.py for the time
  being so as to match the legacy Semgrepignore v1 behavior. Users should not
  rely on this since it doesn't comply with the Gitignore/Semgrepignore
  standard and will be removed in the future. (tolerate-semgrepignore-v1-dotslash)
• Target file selection now uses
  Semgrepignore v2 by default. This brings the behavior of the Semgrepignore file
  exclusions closer to Git and .gitignore files. There can now
  be multiple .semgrepignore files in the project. The .semgrepignore file
  in the current folder is no longer consulted unless it in the project.
  Negated patterns are now supported such as !scanme.py as with Gitignore.
  Some bugs were fixed. (use-semgrepignore-v2)

Changed

• Upgrade Semgrep from OCaml 5.2.1 to 5.3.0 (#​3)

Fixed

• In Semgrepignore v2, allow wildcards * and ? to match file names with a leading period. This matches the behavior of Gitignore and Semgrepignore v1. (semgrepignore-dotfiles)

v1.116.0

Compare Source

1.116.0 - 2025-03-28

Fixed

• Use value of $XDG_CACHE_HOME before hardcoded ~/.cache for semgrep_version file (gh-4465)

v1.114.0

Compare Source

1.114.0 - 2025-03-19

Fixed

• Pro Engine now more accurately tracks the scope of Python local variables. For
  example, the following code defines two z variables that should be tracked
  separately.

  z = 1
  
  def foo():
      z = 2
      a = z
  

  The Pro engine now correctly recognizes that the z assigned to a is the one
  defined in the local scope, not the global scope. (code-8114)

v1.113.0

Compare Source

1.113.0 - 2025-03-17

Fixed

• Semgrep will no longer fail a diff scan if there is a relative safe directory (saf-1851)

v1.112.0

Compare Source

1.112.0 - 2025-03-13

Added

• TypeScript parser now allows ellipses in class bodies. For example, you can
  write the pattern like:

  class $C {
    ...
    $FUNC() { ... }
    ...
  }
  ``` (code-8242)
  

• Semgrep will now present more detailed info when a scan is complete, such as what percent of lines were scanned. It is also formatted in a new manner (saf-details)
• Verbose output will now print additional info about parsing and internal semgrep errors, such as what % of lines were skipped, and the lines they occured on (saf-verbose)

Fixed

• pro: Fixed bug in (experimental) "at-exit" sinks feature that would prevent
  the identification of a statement like return foo() as one such sink. (code-8199)
• FIX: --gitlab-secrets output has been updated to conform to GitLab JSON schema (scrt-849)
• The behavior of --semgrepignore-v2 changed to be closer to the legacy
  Semgrepignore v1. .gitignore files are no longer loaded automatically
  as part of the Semgrepignore v2 exclusion mechanism.
  Loading a .gitignore file must be done
  by placing :include .gitignore in the .semgrepignore file
  as was the case with Semgrepignore v1. (semgrepignore-v1-compat)

v1.111.0

Compare Source

1.111.0 - 2025-03-04

Changed

• Removed .semgrepignore file lookup using the SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE environment variable. This was used by semgrep-action which
  has been deprecated. (semgrep-action)

Fixed

• pro: Fixed bug that could prevent taint tracking from following a virtual call
  in JS/TS. (code-8065)
• PRO: Restricted heuristic search of the Python module path to paths only under
  the project root to reduce inaccuracies in module resolution. This change
  mitigates the risk of resolving module specifiers to incorrect paths,
  particularly in cases involving common library names (e.g., django). (code-8146)
• Fix the incorrect schema and analysis type in the JSON output of the secret
  findings when using the --gitlab-secrets flag. (scrt-833)

v1.110.0

Compare Source

1.110.0 - 2025-02-26

Added

• pro: Inter-file analysis will now process Javascript and Typescript files
  together, so that taint can be tracked across both languages. (code-8076)

• Pro: new metavariable-name operator which allows for expressing a constraint
  against the fully qualified name or nearest equivalent of a metavariable
  (useful mainly in JavaScript and TypeScript, where there is no first-class
  syntax for this, or where such names or pseudo-names containt symbols which
  cannot appear in identifiers). Requires pro naming passes and works best with
  interfile naming.

  Additional documentation forthcoming. (code-8121)

Changed

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our PyPI and Homebrew distributions. Our Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. (ocaml5)

Fixed

• Fixed a regression in pro interfile mode where type inference for the var
  keyword in Java was not functioning correctly. (code-7991)

• PRO: Fix the range not found error when using a metavariable pattern match on
  a typed metavariable. For example, the following metavariable pattern rule will
  no longer trigger the error:

  patterns:
    - pattern: ($FOO $VAR).bar()
    - metavariable-pattern:
        metavariable: $FOO
        pattern-either:
          - pattern: org.foo.Foo
  ``` (code-8007)
  

• lsp will no longer send diagnostics where the message is MarkupContent since
  our current implementation does not discriminate on the client capability for
  recieiving such diagnostics (to-be-added in 3.18). (code-8120)

• Yarn.lock parser now correctly denotes NPM organization scope. (sc-2107)

• Packages in Package.resolved without a version are now ignored. (sc-2116)

• Updated Package.swift parser to support:

  • The url value in a .package entry doesn't have to end with .git
  • You can have an exact field that looks like exact: "1.0.0" instead of .exact("1.0.0")
  • The exact version can be an object like Version(1,2,3) instead of a string
  • You can have .package values with no url, like this: .package(name: "package", path: "foo/bar") (sc-2117)

v1.109.0

Compare Source

1.109.0 - 2025-02-19

Changed

• Pyproject.toml files are now parsed using a toml parser (tomli). (sc-2054)

Fixed

• pro: taint-mode: Fixed limitation in custom taint propagators.
  See https://semgrep.dev/playground/s/ReJQO (code-7967)
• taint-mode: Disable symbolic-propagation when matching taint propagators
  to prevent unintended interactions. See https://semgrep.dev/playground/s/7KE0k. (code-8054)
• Fixed pattern match deduplication to avoid an O(n^2) worst-case complexity, and
  optimized the matching of ordered ..., PAT, ... patterns. (saf-682)

v1.108.0

Compare Source

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and
  "semgrep.policy:" are now filtered from the JSON output unless you
  are logged in with the Semgrep appsec platform.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully.
  Instead of erroring, we continue to scan so that the user can still get results, but
  log the error. It also adds a guard so that this failure is less likely to happen
  and will include more debugging information when it does. (sms-521)

v1.107.0

Compare Source

1.107.0 - 2025-02-04

Added

• More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
• Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

• The pro engine now respects the correct order of field resolution in Scala's
  multiple inheritance. The type that appears later takes precedence when
  resolving fields. For example, in class A extends B with C with D, the order
  of precedence is D, C, B, and A. (code-7891)
• pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
• pro: python: Fixed resolution of calls to the implementation of abstract methods.
  See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
• Fixed the semgrep ci --help to not include experimental options
  like --semgrep-branch (saf-1746)
• Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
• Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

v1.106.0

Compare Source

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

v1.104.0

Compare Source

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some
  type A, Semgrep will match any type B that is a subtype of A, but in certain
  situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

  B b = new B(taint);
  B b1 = b;
  sink(b1.getTaintedData());
  

  The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

• Python: Parser updated to the most recent tree-sitter grammar.
  Parse rate from 99.8% -> 99.998%. (saf-1810)

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud