Skip to content

Update dependency semgrep to v1.152.0#116

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/semgrep-1.x
Open

Update dependency semgrep to v1.152.0#116
renovate[bot] wants to merge 1 commit intomainfrom
renovate/semgrep-1.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 7, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
semgrep (changelog) ==1.149.0 ==1.152.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

semgrep/semgrep (semgrep)

v1.152.0

Compare Source

### Added

  • Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

  • Turned on DNS rebinding protection for the MCP server (dns-check)

  • Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

  • Memory management policies

    A memory policy defines how OCaml's garbage collector should be configured for
    a scan. There are two initial policies: "aggressive", the current behaviour,
    which trades longer scan times for lower memory use, and "balanced", which
    finds a middle ground between reclaiming heap memory in short order while
    limiting how often the garbage collector runs. The policy can be configured
    via the --x-mem-policy CLI flag for the pro engine; this flag is unused in
    the OSS engine. (engine-2055)

  • Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

  • Allows case insensitive string comparisons using lower() and upper() like this:

    - metavariable-comparison:
    metavariable: $VALUE
    comparison: upper(str($VALUE)) == "SEMGREP"

    (gh-11502)

  • Blocking findings that are outputted in the CI output are now labelled as such. (#​4394)

### Changed
  • pro: There should be fewer FNs when the max number of fields to track per object
    is reached. (code-9224)
  • Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)
### Fixed
  • pro: Improved accuracy of taint tracking through assignments, this will help
    reduce FPs in some cases. (code-9220)
  • When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
    longer period of time before retrying the request, to spread out requests
    during periods of app instability. (engine-2550)

v1.151.0

Compare Source

Added
  • Added progress indicators for symbol analysis calculation and upload during CI scans (sc-3103)
Fixed
  • bumped glom to at least version 23.3, which includes a fix to a SyntaxWarning
    warning log. (gh-11460)
  • Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't (loglines)
  • Fixed the README not appearing in built wheels. (wheelreadme)

v1.150.0

Compare Source

Added
  • Connecting to the Semgrep MCP server via streamableHttp now requires OAuth. (saf-2453)
Changed
  • Migrated from pipenv to uv for ./cli package management (uv)
Fixed
  • pro: Improved virtual method resolution in Scala (code-9213)
  • Improved performance for supply chain scans by reducing pre-computation when printing the scan status. This results in slightly less information being displayed in the case that there are no rules to run. (gh-5436)
  • Supply Chain Analysis: fixed version range matching for NPM packages with versions containing a prerelease identifier such as -alpha in 1.2.3-alpha. (sc-3001)

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@greptile-apps
Copy link

greptile-apps bot commented Feb 7, 2026

Greptile Overview

Greptile Summary

  • Bumps semgrep in the Python dev dependency group from 1.149.0 to 1.150.0 (non-Windows only).
  • Regenerates uv.lock accordingly, adding new transitive deps (e.g., semantic-version, pyjwt[crypto]) and updating hashes/URLs.
  • Change is isolated to Python tooling (uv/pyproject) and doesn’t touch the Node packages directly.

Confidence Score: 4/5

  • This PR is likely safe to merge after addressing a minor formatting inconsistency in pyproject.toml.
  • The change is a straightforward semgrep patch bump with a regenerated uv lockfile; the only concrete issue found is inconsistent dependency marker spacing that can cause formatting/CI diffs if enforced.
  • pyproject.toml

Important Files Changed

Filename Overview
pyproject.toml Bumped semgrep dev dependency to 1.150.0, but introduced inconsistent PEP 508 marker spacing (==1.150.0; vs ==... ;) which can break style/format checks if enforced.
uv.lock Regenerated lockfile for semgrep 1.150.0; adds new transitive deps (semantic-version, pyjwt[crypto]) and updates exclude-newer timestamp. No functional issues spotted in the lock structure.

greptile-apps[bot]
greptile-apps bot reviewed Feb 7, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

pyproject.toml Outdated
"pyrefly==0.50.1",
"ruff==0.14.14",
"semgrep==1.149.0 ; sys_platform != 'win32'",
"semgrep==1.150.0; sys_platform != 'win32'",
Copy link

@greptile-apps greptile-apps bot Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent marker spacing

This line changes the formatting from the surrounding dependencies by removing the space before the environment marker (==1.150.0; vs ==... ;). If this repo enforces formatting (e.g., via a TOML formatter or snapshot tests), this will cause CI diffs/failures. Consider matching the existing style.

Suggested change
"semgrep==1.150.0; sys_platform != 'win32'",
"semgrep==1.150.0 ; sys_platform != 'win32'",

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Prompt To Fix With AI 
This is a comment left during a code review.
Path: pyproject.toml
Line: 18:18

Comment:
**Inconsistent marker spacing**

This line changes the formatting from the surrounding dependencies by removing the space before the environment marker (`==1.150.0;` vs `==... ;`). If this repo enforces formatting (e.g., via a TOML formatter or snapshot tests), this will cause CI diffs/failures. Consider matching the existing style.

```suggestion
    "semgrep==1.150.0 ; sys_platform != 'win32'",
```

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 5b21253 to fb7babf Compare February 11, 2026 20:35
@renovate renovate bot changed the title Update dependency semgrep to v1.150.0 Update dependency semgrep to v1.151.0 Feb 11, 2026
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from fb7babf to 206b21c Compare February 12, 2026 16:36
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 206b21c to 4694604 Compare February 25, 2026 01:09
@renovate renovate bot changed the title Update dependency semgrep to v1.151.0 Update dependency semgrep to v1.152.0 Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants