Bump the dev-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the dev-dependencies group with 3 updates in the /export directory: mypy, types-setuptools and semgrep.

Updates mypy from 1.13.0 to 1.14.1

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Performance improvements

Mypy may be 5-30% faster. This improvement comes largely from tuning the performance of the garbage collector.

Contributed by Jukka Lehtosalo (PR 18306).

Mypyc accelerated mypy wheels for aarch64

Mypy can compile itself to C extension modules using mypyc. This makes mypy 3-5x faster than if mypy is interpreted with pure Python. We now build and upload mypyc accelerated mypy wheels for manylinux_aarch64 to PyPI, making it easy for users on such platforms to realise this speedup.

Contributed by Christian Bundy and Marc Mueller (PR mypy_mypyc-wheels#76, PR mypy_mypyc-wheels#89).

--strict-bytes

By default, mypy treats an annotation of bytes as permitting bytearray and memoryview. PEP 688 specified the removal of this special case. Use this flag to disable this behavior. --strict-bytes will be enabled by default in mypy 2.0.

Contributed by Ali Hamdan (PR 18263) and Shantanu Jain (PR 13952).

Improvements to reachability analysis and partial type handling in loops

This change results in mypy better modelling control flow within loops and hence detecting several issues it previously did not detect. In some cases, this change may require use of an additional explicit annotation of a variable.

Contributed by Christoph Tyralla (PR 18180, PR 18433).

(Speaking of partial types, another reminder that mypy plans on enabling --local-partial-types by default in mypy 2.0).

Better discovery of configuration files

Mypy will now walk up the filesystem (up until a repository or file system root) to discover configuration files. See the mypy configuration file documentation for more details.

... (truncated)

Commits

• 251d12f Remove +dev from version for release 1.14.1
• 667e5f7 Revert "Remove redundant inheritances from Iterator in builtins" (#18324)
• 67f673a Fix enum truthiness for StrEnum (#18379)
• 3755abb Fix getargs argument passing (#18350)
• b9fa8ee Update version to 1.14.1+dev for point release
• 6f37859 Remove +dev from version for release 1.14
• 5a6a754 Minor updates to 1.14 changelog (#18310)
• 9772d48 Update changelog for release 1.14 (#18301)
• 92473c8 Warn about --follow-untyped-imports (#18249)
• e6ce8be PEP 702 (@​deprecated): descriptors (#18090)
• Additional commits viewable in compare view

Updates types-setuptools from 75.6.0.20241126 to 75.8.0.20250110

Commits

• See full diff in compare view

Updates semgrep from 1.100.0 to 1.106.0

Release notes

Sourced from semgrep's releases.

Release v1.106.0

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

Release v1.104.0

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some type A, Semgrep will match any type B that is a subtype of A, but in certain situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

  B b = new B(taint);
  B b1 = b;
  sink(b1.getTaintedData());
  

  The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

• Python: Parser updated to the most recent tree-sitter grammar. Parse rate from 99.8% -> 99.998%. (saf-1810)

Release v1.103.0

1.103.0 - 2025-01-15

Added

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.106.0 - 2025-01-29

No significant changes.

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some type A, Semgrep will match any type B that is a subtype of A, but in certain situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

... (truncated)

Commits

• b0d9436 chore: release version 1.106.0
• 2af07d8 fix(SSC): Handle peer dependencies when parsing a package-lock.json file (s...
• 80cbe25semgrep/semgrep-proprietary#2992
• 142e4ad Remove the --semgrep-branch and other flags from semgrep ci --help (semgrep/s...
• 6dc2087 Revert "Switch semgrep-core -lang from an Analyzer.t to proper Lang.t" (semgr...
• 8e88047semgrep/semgrep-proprietary#2988
• 85ae0b7 Switch semgrep-core -lang from an Analyzer.t to proper Lang.t (semgrep/semgre...
• 3e79051semgrep/semgrep-proprietary#2984
• 56a77e0semgrep/semgrep-proprietary#2968
• 27b5082semgrep/semgrep-proprietary#2967
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions