Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Bump semgrep from 1.100.0 to 1.107.0 #145

Closed
wants to merge 1 commit into from
Closed

Bump semgrep from 1.100.0 to 1.107.0 #145

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 6, 2025

Bumps semgrep from 1.100.0 to 1.107.0.

Release notes

Sourced from semgrep's releases.

Release v1.107.0

1.107.0 - 2025-02-04

Added

  • More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
  • Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

  • The pro engine now respects the correct order of field resolution in Scala's multiple inheritance. The type that appears later takes precedence when resolving fields. For example, in class A extends B with C with D, the order of precedence is D, C, B, and A. (code-7891)
  • pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
  • pro: python: Fixed resolution of calls to the implementation of abstract methods. See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
  • Fixed the semgrep ci --help to not include experimental options like --semgrep-branch (saf-1746)
  • Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
  • Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

  • Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

Release v1.106.0

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

  • Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

  • Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

  • LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
  • Some bug fixes to pnpm lockfile parsing. (gh-2955)
  • Fix npm aliasing bug in yarn parser. (sc-2052)
  • Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

Release v1.104.0

1.104.0 - 2025-01-22

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.107.0 - 2025-02-04

Added

  • More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
  • Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

  • The pro engine now respects the correct order of field resolution in Scala's multiple inheritance. The type that appears later takes precedence when resolving fields. For example, in class A extends B with C with D, the order of precedence is D, C, B, and A. (code-7891)
  • pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
  • pro: python: Fixed resolution of calls to the implementation of abstract methods. See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
  • Fixed the semgrep ci --help to not include experimental options like --semgrep-branch (saf-1746)
  • Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
  • Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

  • Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

1.106.0 - 2025-01-29

No significant changes.

1.105.0 - 2025-01-29

Added

  • Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

... (truncated)

Commits
  • 92313a4 chore: release version 1.107.0
  • 92a64b9semgrep/semgrep-proprietary#3033
  • 50a6842semgrep/semgrep-proprietary#3031
  • b839082 chore(ci): merge pre-commit jobs into a single pre-commit job. (semgrep/semgr...
  • 7b31117semgrep/semgrep-proprietary#3025
  • f277bb9semgrep/semgrep-proprietary#3
  • 458c844 chore(dep-resolution): add progress indicator while resolving dependencies (s...
  • 75de25esemgrep/semgrep-proprietary#3016
  • 337d734semgrep/semgrep-proprietary#2990
  • 7b834cb Implement correct method resolution for multiple trait inheritance in Scala (...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump semgrep from 1.100.0 to 1.107.0
4f0e39b 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.100.0 to 1.107.0.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.100.0...v1.107.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Feb 6, 2025
@dependabot dependabot bot mentioned this pull request Feb 6, 2025
Closed
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 13, 2025

Superseded by #148.

@dependabot dependabot bot closed this Feb 13, 2025
@dependabot dependabot bot deleted the dependabot/pip/semgrep-1.107.0 branch February 13, 2025 00:53
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants