Update all non-major dependencies by renovate[bot] · Pull Request #1110 · pixee/codemodder-python

renovate · 2025-12-05T21:11:47Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
coverage	`>=7.12,<7.13` → `>=7.14,<7.15`
flask-wtf (changelog)	`~=1.2.0` → `~=1.3.0`
jsonschema (changelog)	`~=4.25.0` → `~=4.26.0`
lxml (source, changelog)	`>=6.0.0,<6.1.0` → `>=6.1.1,<6.2.0`
pyjwt	`~=2.10.0` → `~=2.13.0`
python-json-logger	`~=4.0.0` → `~=4.1.0`
requests (changelog)	`~=2.32.1` → `~=2.34.2`
semgrep (changelog)	`>=1.144,<1.145` → `>=1.167,<1.168`
tomlkit	`~=0.13.0` → `~=0.15.0`
types-defusedxml (changelog)	`==0.7.0.20250822` → `==0.7.0.20260504`
types-wtforms (changelog)	`==3.2.1.20250809` → `==3.2.1.20260518`

Release Notes

coveragepy/coveragepy (coverage)

`v7.14.1`

Compare Source

Fix: the HTML report used typographic niceties to make file paths more
readable by adding a small amount of space around slashes. Those spaces
interfered with searching the page for file paths of interest. Now the report
uses CSS to accomplish the same visual tweak so that searches with slashes
work correctly. Closes issue 2170_.
Add a 3.16 PyPI classifier <hugo-316_>_ since we test on the 3.16 main
branch.

.. _issue 2170: #2170
.. _hugo-316: https://mastodon.social/@hugovk/116588523571204490

.. _changes_7-14-0:

`v7.14.0`

Compare Source

Feature: now when running one of the reporting commands, if there are
parallel data files that need combining, they will be implicitly combined
before creating the report. There is no option to avoid the combination; let
us know if you have a use case that requires it. Thanks, Tim Hatch <pull 2162_>. Closes issue 1781.
Fix: the output from combine was too verbose, listing each file
considered. Now it shows a single line with the counts of files combined,
files skipped, and files with errors. The -q flag suppresses this line.
The old detailed lines are available with the new --debug=combine option.
Fix: running a Python file through a symlink now sets the sys.path correctly,
matching regular Python behavior. Fixes issue 2157_.
Fix: Collector.flush_data could fail with "RuntimeError: Set changed
size during iteration" when a tracer in another thread added a line to the
per-file set that add_lines (or add_arcs) was iterating. The values
passed to CoverageData are now snapshotted via dict.copy() and
set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver <pull 2165_>_.
Fix: the soft keyword lazy is now bolded in HTML reports.
We are no longer testing eventlet support. Eventlet started issuing stern
deprecation warnings that break our tests. Our support code is still there.

.. _issue 1781: #1781
.. _issue 2157: #2157
.. _pull 2162: #2162
.. _pull 2165: #2165

.. _changes_7-13-5:

`v7.13.5`

Compare Source

Fix: issue 2138_ describes a memory leak that happened when repeatedly
using the Coverage API with in-memory data. This is now fixed.
Fix: the markdown-formatted coverage report didn't fully escape special
characters in file paths (issue 2141). This would be very unlikely to
cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>.
Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

.. _issue 2138: #2138
.. _issue 2141: #2141
.. _pull 2142: #2142
.. _issue 2145: #2145

.. _changes_7-13-4:

`v7.13.4`

Compare Source

Fix: the third-party code fix in 7.13.3 required examining the parent
directories where coverage was run. In the unusual situation that one of the
parent directories is unreadable, a PermissionError would occur, as
described in issue 2129_. This is now fixed.
Fix: in test suites that change sys.path, coverage.py could fail with
"RuntimeError: Set changed size during iteration" as described and fixed in
pull 2130_. Thanks, Noah Fatsi.
We now publish ppc64le wheels, thanks to Pankhudi Jain <pull 2121_>_.

.. _pull 2121: #2121
.. _issue 2129: #2129
.. _pull 2130: #2130

.. _changes_7-13-3:

`v7.13.3`

Compare Source

Fix: in some situations, third-party code was measured when it shouldn't have
been, slowing down test execution. This happened with layered virtual
environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is
considered third-party code.

.. _issue 2082: #2082

.. _changes_7-13-2:

`v7.13.2`

Compare Source

Fix: when Python is installed via symlinks, for example with Homebrew, the
standard library files could be incorrectly included in coverage reports.
This is now fixed, closing issue 2115_.
Fix: if a data file is created with no read permissions, the combine step
would fail completely. Now a warning is issued and the file is skipped.
Closes issue 2117_.

.. _issue 2115: #2115
.. _issue 2117: #2117

.. _changes_7-13-1:

`v7.13.1`

Compare Source

Added: the JSON report now includes a "start_line" key for function and
class regions, indicating the first line of the region in the source. Closes
issue 2110_.
Added: The debug data command now takes file names as arguments on the
command line, so you can inspect specific data files without needing to set
the COVERAGE_FILE environment variable.
Fix: the JSON report used to report module docstrings as executed lines,
which no other report did, as described in issue 2105_. This is now fixed,
thanks to Jianrong Zhao.
Fix: coverage.py uses a more disciplined approach to detecting where
third-party code is installed, and avoids measuring it. This shouldn't change
any behavior. If you find that it does, please get in touch.
Performance: data files that will be combined now record their hash as part
of the file name. This lets us skip duplicate data more quickly, speeding the
combining step.
Docs: added a section explaining more about what is considered a missing
branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.
Tests: the test suite misunderstood what core was being tested if
COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: #1597
.. _pull 2092: #2092
.. _issue 2105: #2105
.. _issue 2109: #2109
.. _issue 2110: #2110

.. _changes_7-13-0:

`v7.13.0`

Compare Source

Feature: coverage.py now supports :file:.coveragerc.toml configuration
files. These files use TOML syntax and take priority over
:file:pyproject.toml but lower priority than :file:.coveragerc files.
Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.
Fix: we now include a permanent .pth file which is installed with the code,
fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn't work
when using the source wheel (py3-none-any). This is now fixed. Thanks,
Henry Schreiner <pull 2100_>.
Deprecated: when coverage.py is installed, it creates three command entry
points: coverage, coverage3, and coverage-3.10 (if installed for
Python 3.10). The second and third of these are not needed and will
eventually be removed. They still work for now, but print a message about
their deprecation.

.. _issue 1643: #1643
.. _pull 1952: #1952
.. _pull 2100: #2100

.. _changes_7-12-1b1:

python-jsonschema/jsonschema (jsonschema)

`v4.26.0`

Compare Source

=======

Decrease import time by delaying importing of urllib.request (#1416).

lxml/lxml (lxml)

`v6.1.1`

Compare Source

==================

Bugs fixed

The known link attributes in lxml.html.defs.link_attrs were missing xlink:href,
which can be used for URL bypass attacks in embedded SVG/MathML/etc. content.
GHSA-4jhm-jv67-739f
The Linux wheels use a patched libxslt 1.1.43, fixing CVE-2025-7424 and CVE-2025-11731.
The Windows wheels use libxslt 1.1.45, fixing CVE-2025-7424 and CVE-2025-11731.

`v6.1.0`

Compare Source

==================

This release fixes a possible external entity injection (XXE) vulnerability in
iterparse() and the ETCompatXMLParser.

Features added

GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes
in lxml.html.defs. This allows lxml_html_clean to pass them through.
Patch by oomsveta.
The default chunk size for reading from file-likes in iterparse() is now configurable
with a new chunk_size argument.

Bugs fixed

LP#2146291: The resolve_entities option was still set to True for
iterparse and ETCompatXMLParser, allowing for external entity injection (XXE)
when using these parsers without setting this option explicitly.
The default was now changed to 'internal' only (as for the normal XML and HTML parsers
since lxml 5.0).
Issue found by Sihao Qiu as CVE-2026-41066.

jpadilla/pyjwt (pyjwt)

`v2.13.0`

Compare Source

`v2.12.1`

Compare Source

Changed


- Migrate the ``dev``, ``docs``, and ``tests`` package extras to dependency groups by @&#8203;kurtmckee in `#&#8203;1152 <https://github.com/jpadilla/pyjwt/pull/1152>`__

`v2.12.1 <https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1>`__
------------------------------------------------------------------------

Fixed
~~~~~

- Add missing ``typing_extensions`` dependency for Python < 3.11 in `#&#8203;1150 <https://github.com/jpadilla/pyjwt/issues/1150>`__

`v2.12.0 <https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Annotate PyJWKSet.keys for pyright by @&#8203;tamird in `#&#8203;1134 <https://github.com/jpadilla/pyjwt/pull/1134>`__
- Close ``HTTPError`` response to prevent ``ResourceWarning`` on Python 3.14 by @&#8203;veeceey in `#&#8203;1133 <https://github.com/jpadilla/pyjwt/pull/1133>`__
- Do not keep ``algorithms`` dict in PyJWK instances by @&#8203;akx in `#&#8203;1143 <https://github.com/jpadilla/pyjwt/pull/1143>`__
- Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @&#8203;dmbs335 in `GHSA-752w-5fwx-jx9f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f>`__
- Use PyJWK algorithm when encoding without explicit algorithm in `#&#8203;1148 <https://github.com/jpadilla/pyjwt/pull/1148>`__

Added
~~~~~

- Docs: Add ``PyJWKClient`` API reference and document the two-tier caching system (JWK Set cache and signing key LRU cache).

`v2.11.0 <https://github.com/jpadilla/pyjwt/compare/2.10.1...2.11.0>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @&#8203;kurtmckee in `#&#8203;1105 <https://github.com/jpadilla/pyjwt/pull/1105>`__
- Validate key against allowed types for Algorithm family in `#&#8203;964 <https://github.com/jpadilla/pyjwt/pull/964>`__
- Add iterator for JWKSet in `#&#8203;1041 <https://github.com/jpadilla/pyjwt/pull/1041>`__
- Validate `iss` claim is a string during encoding and decoding by @&#8203;pachewise in `#&#8203;1040 <https://github.com/jpadilla/pyjwt/pull/1040>`__
- Improve typing/logic for `options` in decode, decode_complete by @&#8203;pachewise in `#&#8203;1045 <https://github.com/jpadilla/pyjwt/pull/1045>`__
- Declare float supported type for lifespan and timeout by @&#8203;nikitagashkov in `#&#8203;1068 <https://github.com/jpadilla/pyjwt/pull/1068>`__
- Fix ``SyntaxWarning``\s/``DeprecationWarning``\s caused by invalid escape sequences by @&#8203;kurtmckee in `#&#8203;1103 <https://github.com/jpadilla/pyjwt/pull/1103>`__
- Development: Build a shared wheel once to speed up test suite setup times by @&#8203;kurtmckee in `#&#8203;1114 <https://github.com/jpadilla/pyjwt/pull/1114>`__
- Development: Test type annotations across all supported Python versions,
  increase the strictness of the type checking, and remove the mypy pre-commit hook
  by @&#8203;kurtmckee in `#&#8203;1112 <https://github.com/jpadilla/pyjwt/pull/1112>`__

Added
~~~~~

- Support Python 3.14, and test against PyPy 3.10 and 3.11 by @&#8203;kurtmckee in `#&#8203;1104 <https://github.com/jpadilla/pyjwt/pull/1104>`__
- Development: Migrate to ``build`` to test package building in CI by @&#8203;kurtmckee in `#&#8203;1108 <https://github.com/jpadilla/pyjwt/pull/1108>`__
- Development: Improve coverage config and eliminate unused test suite code by @&#8203;kurtmckee in `#&#8203;1115 <https://github.com/jpadilla/pyjwt/pull/1115>`__
- Docs: Standardize CHANGELOG links to PRs by @&#8203;kurtmckee in `#&#8203;1110 <https://github.com/jpadilla/pyjwt/pull/1110>`__
- Docs: Fix Read the Docs builds by @&#8203;kurtmckee in `#&#8203;1111 <https://github.com/jpadilla/pyjwt/pull/1111>`__
- Docs: Add example of using leeway with nbf by @&#8203;djw8605 in `#&#8203;1034 <https://github.com/jpadilla/pyjwt/pull/1034>`__
- Docs: Refactored docs with ``autodoc``; added ``PyJWS`` and ``jwt.algorithms`` docs by @&#8203;pachewise in `#&#8203;1045 <https://github.com/jpadilla/pyjwt/pull/1045>`__
- Docs: Documentation improvements for "sub" and "jti" claims by @&#8203;cleder in `#&#8203;1088 <https://github.com/jpadilla/pyjwt/pull/1088>`__
- Development: Add pyupgrade as a pre-commit hook by @&#8203;kurtmckee in `#&#8203;1109 <https://github.com/jpadilla/pyjwt/pull/1109>`__
- Add minimum key length validation for HMAC and RSA keys (CWE-326).
  Warns by default via ``InsecureKeyLengthWarning`` when keys are below
  minimum recommended lengths per RFC 7518 Section 3.2 (HMAC) and
  NIST SP 800-131A (RSA). Pass ``enforce_minimum_key_length=True`` in
  options to ``PyJWT`` or ``PyJWS`` to raise ``InvalidKeyError`` instead.
- Refactor ``PyJWT`` to own an internal ``PyJWS`` instance instead of
  calling global ``api_jws`` functions.

`v2.10.1 <https://github.com/jpadilla/pyjwt/compare/2.10.0...2.10.1>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Prevent partial matching of `iss` claim by @&#8203;fabianbadoi in `GHSA-75c5-xw7c-p5pm <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm>`__

`v2.10.0 <https://github.com/jpadilla/pyjwt/compare/2.9.0...2.10.0>`__
-----------------------------------------------------------------------

Changed

Remove algorithm requirement from JWT API, instead relying on JWS API for enforcement, by @luhn in #975 <https://github.com/jpadilla/pyjwt/pull/975>__
Use Sequence for parameter types rather than List where applicable by @imnotjames in #970 <https://github.com/jpadilla/pyjwt/pull/970>__
Add JWK support to JWT encode by @luhn in #979 <https://github.com/jpadilla/pyjwt/pull/979>__
Encoding and decoding payloads using the none algorithm by @jpadilla in #c2629f6 <https://github.com/jpadilla/pyjwt/commit/c2629f66c593459e02616048443231ccbe18be16>__

Before:

.. code-block:: pycon

import jwt
jwt.encode({"payload": "abc"}, key=None, algorithm=None)

After:

.. code-block:: pycon

import jwt
jwt.encode({"payload": "abc"}, key=None, algorithm="none")
Added validation for 'sub' (subject) and 'jti' (JWT ID) claims in tokens by @Divan009 in #1005 <https://github.com/jpadilla/pyjwt/pull/1005>__
Refactor project configuration files from setup.cfg to pyproject.toml by @cleder in #995 <https://github.com/jpadilla/pyjwt/pull/995>__
Ruff linter and formatter changes by @gagandeepp in #1001 <https://github.com/jpadilla/pyjwt/pull/1001>__
Drop support for Python 3.8 (EOL) by @kkirsche in #1007 <https://github.com/jpadilla/pyjwt/pull/1007>__

Fixed


- Encode EC keys with a fixed bit length by @&#8203;etianen in `#&#8203;990 <https://github.com/jpadilla/pyjwt/pull/990>`__
- Add an RTD config file to resolve Read the Docs build failures by @&#8203;kurtmckee in `#&#8203;977 <https://github.com/jpadilla/pyjwt/pull/977>`__
- Docs: Update ``iat`` exception docs by @&#8203;pachewise in `#&#8203;974 <https://github.com/jpadilla/pyjwt/pull/974>`__
- Docs: Fix ``decode_complete`` scope and algorithms by @&#8203;RbnRncn in `#&#8203;982 <https://github.com/jpadilla/pyjwt/pull/982>`__
- Fix doctest for ``docs/usage.rst`` by @&#8203;pachewise in `#&#8203;986 <https://github.com/jpadilla/pyjwt/pull/986>`__
- Fix ``test_utils.py`` not to xfail by @&#8203;pachewise in `#&#8203;987 <https://github.com/jpadilla/pyjwt/pull/987>`__
- Docs: Correct `jwt.decode` audience param doc expression by @&#8203;peter279k in `#&#8203;994 <https://github.com/jpadilla/pyjwt/pull/994>`__

Added

Add support for python 3.13 by @hugovk in #972 <https://github.com/jpadilla/pyjwt/pull/972>__
Create SECURITY.md by @auvipy and @jpadilla in #973 <https://github.com/jpadilla/pyjwt/pull/973>__
Docs: Add PS256 encoding and decoding usage by @peter279k in #992 <https://github.com/jpadilla/pyjwt/pull/992>__
Docs: Add API docs for PyJWK by @luhn in #980 <https://github.com/jpadilla/pyjwt/pull/980>__
Docs: Add EdDSA algorithm encoding/decoding usage by @peter279k in #993 <https://github.com/jpadilla/pyjwt/pull/993>__
Include checkers and linters for pyproject.toml in pre-commit by @cleder in #1002 <https://github.com/jpadilla/pyjwt/pull/1002>__
Docs: Add ES256 decoding usage by @Gautam-Hegde in #1003 <https://github.com/jpadilla/pyjwt/pull/1003>__

`v2.12.0`

Compare Source

Security

Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @dmbs335 in GHSA-752w-5fwx-jx9f

What's Changed

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1132
chore(docs): fix docs build by @tamird in #1137
Annotate PyJWKSet.keys for pyright by @tamird in #1134
fix: close HTTPError to prevent ResourceWarning on Python 3.14 by @veeceey in #1133
chore: remove superfluous constants by @tamird in #1136
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1135
chore(tests): enable mypy by @tamird in #1138
Bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #1142
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1141
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1145
fix: do not store reference to algorithms dict on PyJWK by @akx in #1143
Use PyJWK algorithm when encoding without explicit algorithm by @jpadilla in #1148

New Contributors

@tamird made their first contribution in #1137
@veeceey made their first contribution in #1133

Full Changelog: jpadilla/pyjwt@2.11.0...2.12.0

`v2.11.0`

Compare Source

Fixed


Added

nhairs/python-json-logger (python-json-logger)

`v4.1.0`: 4.1.0

Compare Source

Added

Add support for Python 3.14, PyPy 3.11

Removed

Remove support for Python 3.8, 3.9 (includes PyPy versions).

psf/requests (requests)

`v2.34.2`

Compare Source

Moved headers input type back to Mapping to avoid invariance issues
with MutableMapping and inferred dict types. Users calling
Request.headers.update() may need to narrow typing in their code. (#7441)

`v2.34.1`

Compare Source

Bugfixes

Widened json input type from dict and list to Mapping
and Sequence. (#7436)
Changed headers input type to MutableMapping and removed None from
Request.headers typing to improve handling for users. (#7431)
Response.reason moved from str | None to str to improve handling
for users. (#7437)
Fixed a bug where some bodies with custom __getattr__ implementations
weren't being properly detected as Iterables. (#7433)

`v2.34.0`

Compare Source

Announcements

Requests 2.34.0 introduces inline types, replacing those provided by
typeshed. Public API types should be fully compatible with mypy, pyright,
and ty. We believe types are comprehensive but if you find issues, please
report them to the pinned tracking issue.

Special thanks to @bastimeyer, @cthoyt, @edgarrmondragon, and @srittau for
helping review and test the types ahead of the release. (#7272)

Improvements

Digest Auth hashing algorithms have added usedforsecurity=False to clarify
security considerations. (#7310)
Requests added support for Python 3.15 based on beta1. Downstream projects
should be able to start testing prior to its release in October. (#7422)
Requests added support for Python 3.14t. (#7419)

Bugfixes

Response.history no longer contains a reference to itself, preventing
accidental looping when traversing the history list. (#7328)
Requests no longer performs greedy matching on no_proxy domains. The
proxy_bypass implementation has been updated with CPython's fix from
bpo-39057. (#7427)
Requests no longer incorrectly strips duplicate leading slashes in
URI paths. This should address user issues with specific presigned
URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

`v2.33.1`

Compare Source

Bugfixes

Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory. (#7305)
Fixed Content-Type header parsing for malformed values. (#7309)
Improved error consistency for malformed header values. (#7308)

`v2.33.0`

Compare Source

Announcements

📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at #7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

semgrep/semgrep (semgrep)

`v1.167.0`

Compare Source

1.167.0 - 2026-06-17

### Added

Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more. (const-folding)
Added a nosemgrep_disabled field to the scan configuration so the platform can disable nosemgrep inline ignore comments org-wide for a scan. (APPEX-1122)
Semgrep now skips binary files (images, archives, compiled executables,
etc.) during scanning by default, detected via matching file extensions
to known file-format magic bytes Pass --no-exclude-binary-files to
scan binary files as before. (ENGINE-2708)

### Fixed

semgrep ci with --sarif now correctly populates the output's ignores
field with nosemgrep-suppressed findings, in accordance with other output
formatters. (gh-6651)

### Infra/Release Changes

Updated the ocaml-tree-sitter-core submodule to the latest upstream main, providing
- improved thread-safety
- bumps the tree-sitter CLI option used from 0.20.6 to 0.20.8.
(ocaml-tree-sitter-core-bump)

`v1.166.0`

Compare Source

### Added

Pro: Added experimental cross-file (interfile) analysis for Gosu, enabling taint tracking across multiple Gosu source files. (gosu-interfile)
Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more (ENGINE-2789)

### Fixed

Fixed parsing of integer literals with an underscore immediately after the radix prefix (e.g. 0x_dead_beef, 0o_755, 0b_1010_1010). (LANG-533)
Python parsing now preserves type parameters on def and class definitions. (LANG-536)
Semgrep no longer stores the API token in ~/.semgrep/settings.yml's stored
token when the current scan's token is supplied via the SEMGREP_APP_TOKEN
envvar. (SEC-2240)
semgrep ci scans originating from a pre-commit hook will no longer fail with
Unable to create '<tmp>/.git/index.lock': Not a directory in certain cases. (engine-2736)

### Infra/Release Changes

Added parsing tests covering Python language features (Python 3.0–3.12). (LANG-531)

`v1.165.0`

Compare Source

### Added

Added --max-match-context-size option to limit the number of characters of source code included as context for each match in the output. This prevents matches in minified files (e.g., minified JavaScript where the entire file is a single line) from producing enormous output Set to 0 for unlimited, which is the default value. (ENGINE-2117)

### Changed

Replaced --x-no-python-schema-validation with a value-taking --x-rule-validation=full|core-only|none flag. The default (full) preserves existing Python rule validation behavior; core-only matches the old flag's semantics (disables Python rule validation and uses semgrep-core RPC validation only); none skips both pre-validation passes, surfacing rule errors at scan-time. --x-no-python-schema-validation is still accepted as a no-op with a deprecation warning, and will be removed in a future release. (x-rule-validation)
Python: Updated Python grammar (LANG-201)

### Fixed

Added bit shift operations to metavar comparison in addition to already present standard arithmetic operators and logical bit ops. (ENGINE-2448)
Reduce intermittent validation_error results on HTTP secret validators (Facebook, Slack, Stripe, Google, Cloudflare, etc.) by retrying transient network failures, mirroring the retry behavior already present for AWS validators. (SCRT-965)

`v1.164.0`

Compare Source

### Added

Dart: typed metavariables ($X as T) and metavariable-type,
metavariable binding inside string interpolations, and function-definition
patterns that match Dart function definitions. (gh-11678)

### Changed

The default memory limit for Pro interfile scans on Linux now adapts to the container's cgroup memory limit (90% of it) instead of the previous fixed 5 GiB, with an 8 GiB fallback when no cgroup limit is detected. (ENGINE-2568)
Lower the glibc contraint from >=2.35 to >=2.34, allowing users on distros
that ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)

### Fixed

Baseline diff scans (semgrep ci and --baseline-commit) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.

Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison.
Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.

Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)
Fixed a yarn.lock parse error on Yarn Berry entries written
in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)
The (beta) SBT resolver with --allow-local-builds now correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)
Fix --sarif-output and --sarif causing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)
Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)
Dart: improved parser fidelity for Dart 3 grammar features and routed
pattern parsing for statements beginning with await, rethrow, and other
statement keywords. Eliminates a large class of PartialParsing errors on
real-world pub.dev packages. (gh-11678)

### Infra/Release Changes

pro: macOS: Fixed dynamic library lookup for semgrep-core-proprietary so the binary works when semgrep install-semgrep-pro is invoked, and semgrep is installed via Homebrew. (pro-binary-homebrew)
Pro: Added optional <case>.named_ast.expect golden files for tests/intrafile/maturity/ fixtures, exercised by Unit_maturity_named_asts. (LANG-287)

`v1.163.0`

Compare Source

### Added

Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)

### Changed

Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)

### Fixed

Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
Fixed transitive reachability rule parsing performance: the temporary rule
file written for each transitive-reachability RPC call is JSON content
(json.dumps([rule.raw])) but was being created with a .yaml suffix.
OCaml's Parse_rule.parse_file dispatches purely on file extension, so this
routed every TR rule through Yaml_to_generic.parse_yaml_file (the slow YAML
path) instead of Fast_json.parse_program (the new hand-written RFC 8259
parser). Switching the suffix to .json lines the suffix up with the actual
content and lets every TR rule parse take the fast path. (tr-json-suffix)
Pro: Fixed a naming resolution bug in Java. (LANG-274)

`v1.162.0`

Compare Source

### Added

pro: Improved support for tracking taint through nested functions. (LANG-95)
Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)

### Changed

Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)

### Fixed

jsonnet: import and importstr now reject paths that resolve outside the
rule file's parent directory. (ENGINE-2727)
semgrep ci: redact URL-embedded credentials and Authorization header
values from git error messages and from the captured tracebacks sent to
the fail-open telemetry endpoint, preventing leaks of secrets like
CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes
ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
jsonnet rules: bound recursion in both rule loading and evaluation so a
malicious rule can no longer hang semgrep via mutually-recursive imports
or runtime function calls that recurse forever. (ENGINE-2727-dos)
Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
Fixed unknown option error when spawning the MCP daemon (gh-11660)

`v1.161.0`

Compare Source

### Added

Scala 3.4+ trait parameters are now parsed correctly. (lang-73)

### Fixed

Semgrep's HTTP requests no longer log URLs above the debug level; full request
details remain available when running with SEMGREP_LOG_SRCS=cohttp.client. (ENGINE-2712)

`v1.160.0`

Compare Source

### Added

Scala: Added tree-sitter parser for improved parsing accuracy with pfff fallback. (LANG-255)
pro: taint: Improved support for variadic functions (LANG-375)

### Fixed

Fixed performance issues during parsing Semgrep rules containing emoji or
other non-BMP Unicode characters. (gh-6070)
Emit a warning when semgrep-core rule validation fails and falls back to JSON
schema validation, alongside details of the failure. (gh-6071)

`v1.159.0`

Compare Source

### Fixed

Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)

`v1.158.0`

Compare Source

### Added

Added support for a supply chain hook for the Semgrep Plugin (supply-chain-hook)
Computing taint configs, ~1/4-1/2 of the semgrep-core time in interfile scans, is now done in parallel according to the number of jobs (ENGINE-2649)
Semgrep Pro interfile engine (--pro) taint analysis has been redesigned, significantly improving performance (estimated 20-40% improvement). This improvement introduces a slight change in how findings are generated, that may result in more true positives, or less false positives. To revert to previous behavior, pass --no-x-run-taint-once as a flag. (engine-2468)

### Changed

semgrep-core macOS binaries are now dynamically linked to the system's libraries. (macos-binary-build)
semgrep-core manylinux binaries are now dynamically linked to the system's glibc on glibc systems. This introduces a minimum glibc version requirement of >=2.35, which is satisfied in Ubuntu >=22.04, Debian >=12, RHEL >=10, and other glibc distributions with at least glibc 2.35. Linux systems running an older glibc will need to upgrade their OS. (manylinux-binary-build)
The manylinux wheel is now tagged as manylinux_2_35_, reflecting a minimum
requirement of glibc version 2.35. (manylinux-wheel-tag)
semgrep-core musllinux binaries are now dynamically linked to the system's musl libc on musl systems. (musllinux-binary-build)
The musllinux PyPI wheel is now tagged as musllinux_1_2_, reflecting a requirement
of musl libc version 1.2. (musllinux-wheel-tag)
The LSP and MCP servers now use the v2 config download endpoint by default when fetching rules from Semgrep AppSec Platform. Set SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1 to fall back to the legacy endpoint. (SMS-2284)

### Fixed

Fixed IDE login issues where network errors during token verification were incorrectly clearing the saved token. The LSP now distinguishes 401 Unauthorized (invalid token) from other errors (e.g. network failures), surfacing appropriate messages instead. (ide-login)
Fixed SARIF taint trace output: step locations now use the correct file URI, and the full taint sink call trace is included in codeFlows. (engine-2570)
The --x-mem-policy flag now propagates to the RPC subprocess, fixing memory tuning for dependency resolution and other RPC-based operations. (pylon-20772)

`v1.157.0`

Compare Source

### Added

pro: Improved taint tracking through lambda calls. (LANG-268)
It is now possible to match a class name like in $C.getInstance(...), and then
use metavariable-type on $C to check its type. (LANG-271)
pro: Improve cross-file taint tracking for globals. (LANG-275)

### Changed

Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
pro: Improved golang module resolution. (code-9225)
Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)

### Fixed

Fix Rust parsing of "&raw" where "raw" is an identifier. (rust-parser-updated)
Errors during target file discovery (e.g., permission errors, git failures) are now surfaced as warnings instead of being silently ignored. (ENGINE-2627)
kotlin: Fixed bug parsing FQNs in metavariable-type. (LANG-271)
Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names. (SC-3379)
Prevented certain deeply nested aliengrep matches from segfaulting semgrep-core. (engine-2628)
Fix Python parsing for files that contains empty strings (or quotes in docstrings) along with match statements. (gh-11287)
Fix rule paths.include/paths.exclude filtering when a single file is passed as a scan target. Previously, path patterns like '/src/test//*.java' would not match because only the filename was used for filtering instead of the full project-relative path. (gh-11560)
Pro: Improved type resolution in Scala (lang-79)
Pro: Improved call resolution in Scala for parameterless methods (lang-80)

`v1.156.0`

Compare Source

### Changed

The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

`v1.155.0`

Compare Source

### Added

Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
scala: Improved support for Scala 3's optional braces. (LANG-218)
Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

### Changed

Removed the experimental and undocumented command semgrep install-ci. (osemgrep-install-ci)
Migrate from publishing a single Linux wheel with the platform tag musllinux_1_0_<arch>.manylinux2014_<arch> to publishing two separate wheels:
- A wheel with the platform tag musllinux_1_0_
- A wheel with the platform tag manylinux2014_
(pypi-linux-tag)

### Fixed

When performing parallel operations over a small number of input items, the
engine no longer spawns more OCaml domains than we have items to process. This
assists with resource utilisation. (engine-2588)
Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the --secrets-timeout flag. (engine-2593)
Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)

`v1.154.0`

### Fixed

Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
Changed default memory policy from "eager" to "balanced". Scan times should
noticably improve; however, scans may use 5-10% additional memory. If running
in a resource-constrained environment, consider setting the memory policy back
to "aggressive". (engine-2055)
When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k f

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2026-05-10T21:08:09Z