Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Bump semgrep from 1.100.0 to 1.106.0 #143

Closed
wants to merge 1 commit into from
Closed

Bump semgrep from 1.100.0 to 1.106.0 #143

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 30, 2025

Bumps semgrep from 1.100.0 to 1.106.0.

Release notes

Sourced from semgrep's releases.

Release v1.106.0

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

  • Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

  • Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

  • LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
  • Some bug fixes to pnpm lockfile parsing. (gh-2955)
  • Fix npm aliasing bug in yarn parser. (sc-2052)
  • Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

Release v1.104.0

1.104.0 - 2025-01-22

Changed

  • Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

  • pro: Fixed bug in inter-file matching of subtypes. When looking to match some type A, Semgrep will match any type B that is a subtype of A, but in certain situations this did not work. (code-7963)

  • taint-mode: Make traces record assignments that transfer taint via shapes.

    For example, in code like:

    B b = new B(taint);
B b1 = b;
sink(b1.getTaintedData());

    The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

  • Python: Parser updated to the most recent tree-sitter grammar. Parse rate from 99.8% -> 99.998%. (saf-1810)

Release v1.103.0

1.103.0 - 2025-01-15

Added

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.106.0 - 2025-01-29

No significant changes.

1.105.0 - 2025-01-29

Added

  • Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

  • Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

  • LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
  • Some bug fixes to pnpm lockfile parsing. (gh-2955)
  • Fix npm aliasing bug in yarn parser. (sc-2052)
  • Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

1.104.0 - 2025-01-22

Changed

  • Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

  • pro: Fixed bug in inter-file matching of subtypes. When looking to match some type A, Semgrep will match any type B that is a subtype of A, but in certain situations this did not work. (code-7963)

  • taint-mode: Make traces record assignments that transfer taint via shapes.

    For example, in code like:

... (truncated)

Commits
  • b0d9436 chore: release version 1.106.0
  • 2af07d8 fix(SSC): Handle peer dependencies when parsing a package-lock.json file (s...
  • 80cbe25semgrep/semgrep-proprietary#2992
  • 142e4ad Remove the --semgrep-branch and other flags from semgrep ci --help (semgrep/s...
  • 6dc2087 Revert "Switch semgrep-core -lang from an Analyzer.t to proper Lang.t" (semgr...
  • 8e88047semgrep/semgrep-proprietary#2988
  • 85ae0b7 Switch semgrep-core -lang from an Analyzer.t to proper Lang.t (semgrep/semgre...
  • 3e79051semgrep/semgrep-proprietary#2984
  • 56a77e0semgrep/semgrep-proprietary#2968
  • 27b5082semgrep/semgrep-proprietary#2967
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump semgrep from 1.100.0 to 1.106.0
691b44f 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.100.0 to 1.106.0.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.100.0...v1.106.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jan 30, 2025
@dependabot dependabot bot mentioned this pull request Jan 30, 2025
Closed
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 6, 2025

Superseded by #145.

@dependabot dependabot bot closed this Feb 6, 2025
@dependabot dependabot bot deleted the dependabot/pip/semgrep-1.106.0 branch February 6, 2025 00:25
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants