Skip to content

deps(deps-dev): update semgrep requirement from >=1.0.0 to >=1.164.0#165

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/semgrep-gte-1.164.0
Open

deps(deps-dev): update semgrep requirement from >=1.0.0 to >=1.164.0#165
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/semgrep-gte-1.164.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Updates the requirements on semgrep to permit the latest version.

Release notes

Sourced from semgrep's releases.

Release v1.164.0

1.164.0 - 2026-05-26

### Added

  • Dart: typed metavariables ($X as T) and metavariable-type, metavariable binding inside string interpolations, and function-definition patterns that match Dart function definitions. (gh-11678)

### Changed

  • The default memory limit for Pro interfile scans on Linux now adapts to the container's cgroup memory limit (90% of it) instead of the previous fixed 5 GiB, with an 8 GiB fallback when no cgroup limit is detected. (ENGINE-2568)
  • Lower the glibc contraint from >=2.35 to >=2.34, allowing users on distros that ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)

### Fixed

  • Baseline diff scans (semgrep ci and --baseline-commit) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.

    Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison. Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.

    Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)

  • Fixed a yarn.lock parse error on Yarn Berry entries written in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)

  • The (beta) SBT resolver with --allow-local-builds now correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)

  • Fix --sarif-output and --sarif causing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)

  • Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)

  • Dart: improved parser fidelity for Dart 3 grammar features and routed pattern parsing for statements beginning with await, rethrow, and other statement keywords. Eliminates a large class of PartialParsing errors on real-world pub.dev packages. (gh-11678)

### Infra/Release Changes

  • pro: macOS: Fixed dynamic library lookup for semgrep-core-proprietary so the binary works when semgrep install-semgrep-pro is invoked, and semgrep is installed via Homebrew. (pro-binary-homebrew)
  • Pro: Added optional <case>.named_ast.expect golden files for tests/intrafile/maturity/ fixtures, exercised by Unit_maturity_named_asts. (LANG-287)
Changelog

Sourced from semgrep's changelog.

1.164.0 - 2026-05-26

### Added

  • Dart: typed metavariables ($X as T) and metavariable-type, metavariable binding inside string interpolations, and function-definition patterns that match Dart function definitions. (gh-11678)

### Changed

  • The default memory limit for Pro interfile scans on Linux now adapts to the container's cgroup memory limit (90% of it) instead of the previous fixed 5 GiB, with an 8 GiB fallback when no cgroup limit is detected. (ENGINE-2568)
  • Lower the glibc contraint from >=2.35 to >=2.34, allowing users on distros that ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)

### Fixed

  • Baseline diff scans (semgrep ci and --baseline-commit) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.

    Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison. Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.

    Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)

  • Fixed a yarn.lock parse error on Yarn Berry entries written in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)

  • The (beta) SBT resolver with --allow-local-builds now correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)

  • Fix --sarif-output and --sarif causing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)

  • Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)

  • Dart: improved parser fidelity for Dart 3 grammar features and routed pattern parsing for statements beginning with await, rethrow, and other statement keywords. Eliminates a large class of PartialParsing errors on real-world pub.dev packages. (gh-11678)

### Infra/Release Changes

  • pro: macOS: Fixed dynamic library lookup for semgrep-core-proprietary so the binary works when semgrep install-semgrep-pro is invoked, and semgrep is installed via Homebrew. (pro-binary-homebrew)
  • Pro: Added optional <case>.named_ast.expect golden files for tests/intrafile/maturity/ fixtures, exercised by Unit_maturity_named_asts. (LANG-287)

1.163.0 - 2026-05-13

### Added

  • Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)

### Changed

  • Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
  • Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
  • Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
  • Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)

... (truncated)

Commits
  • 887f1f4semgrep/semgrep-proprietary#6402
  • 824d43c fix(sca): tag sbt deps ecosystem as Maven, not Pypi (semgrep/semgrep-propriet...
  • 38d4c3csemgrep/semgrep-proprietary#6377
  • 97e9ad0semgrep/semgrep-proprietary#6395
  • 5b8d78asemgrep/semgrep-proprietary#6384
  • 528117fsemgrep/semgrep-proprietary#6382
  • 9dda7a8semgrep/semgrep-proprietary#6381
  • 2d02c08 fix(bump-version): allow .semgrep-version in release branch allowlist (semgre...
  • 64b684fsemgrep/semgrep-proprietary#6378
  • 447dd74semgrep/semgrep-proprietary#6373
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
deps(deps-dev): update semgrep requirement from >=1.0.0 to >=1.164.0
f2eccc5 
Updates the requirements on [semgrep](https://github.com/semgrep/semgrep) to permit the latest version.
- [Release notes](https://github.com/semgrep/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.0.0...v1.164.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-version: 1.164.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Jun 2, 2026

Labels

The following labels could not be found: security. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 2, 2026
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026

Security Scan Summary

Scan Results

  • Bandit (Python SAST): success
  • Semgrep (Multi-language SAST): success
  • Trivy (Vulnerability scanner): success
  • Gitleaks (Secret detection): success
  • CodeQL (Advanced analysis): success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YoungDan YoungDan Awaiting requested review from YoungDan YoungDan is a code owner

@SaikrishnaGundeti SaikrishnaGundeti Awaiting requested review from SaikrishnaGundeti SaikrishnaGundeti is a code owner

@RogerLindquist RogerLindquist Awaiting requested review from RogerLindquist RogerLindquist is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants