Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
coverage	>=7.12,<7.13 → >=7.13,<7.14
jsonschema (changelog)	~=4.25.0 → ~=4.26.0
pyjwt	~=2.10.0 → ~=2.12.1
semgrep (changelog)	>=1.144,<1.145 → >=1.156,<1.157
tomlkit	~=0.13.0 → ~=0.14.0
types-wtforms (changelog)	==3.2.1.20250809 → ==3.2.1.20260312

---

Release Notes

coveragepy/coveragepy (coverage)

v7.13.5

Compare Source

• Fix: issue 2138_ describes a memory leak that happened when repeatedly
  using the Coverage API with in-memory data. This is now fixed.

• Fix: the markdown-formatted coverage report didn't fully escape special
  characters in file paths (issue 2141). This would be very unlikely to
  cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>.

• Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

.. _issue 2138: #​2138
.. _issue 2141: #​2141
.. _pull 2142: #​2142
.. _issue 2145: #​2145

.. _changes_7-13-4:

v7.13.4

Compare Source

• Fix: the third-party code fix in 7.13.3 required examining the parent
  directories where coverage was run. In the unusual situation that one of the
  parent directories is unreadable, a PermissionError would occur, as
  described in issue 2129_. This is now fixed.

• Fix: in test suites that change sys.path, coverage.py could fail with
  "RuntimeError: Set changed size during iteration" as described and fixed in
  pull 2130_. Thanks, Noah Fatsi.

• We now publish ppc64le wheels, thanks to Pankhudi Jain <pull 2121_>_.

.. _pull 2121: #​2121
.. _issue 2129: #​2129
.. _pull 2130: #​2130

.. _changes_7-13-3:

v7.13.3

Compare Source

• Fix: in some situations, third-party code was measured when it shouldn't have
  been, slowing down test execution. This happened with layered virtual
  environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is
  considered third-party code.

.. _issue 2082: #​2082

.. _changes_7-13-2:

v7.13.2

Compare Source

• Fix: when Python is installed via symlinks, for example with Homebrew, the
  standard library files could be incorrectly included in coverage reports.
  This is now fixed, closing issue 2115_.

• Fix: if a data file is created with no read permissions, the combine step
  would fail completely. Now a warning is issued and the file is skipped.
  Closes issue 2117_.

.. _issue 2115: #​2115
.. _issue 2117: #​2117

.. _changes_7-13-1:

v7.13.1

Compare Source

• Added: the JSON report now includes a "start_line" key for function and
  class regions, indicating the first line of the region in the source. Closes
  issue 2110_.

• Added: The debug data command now takes file names as arguments on the
  command line, so you can inspect specific data files without needing to set
  the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines,
  which no other report did, as described in issue 2105_. This is now fixed,
  thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where
  third-party code is installed, and avoids measuring it. This shouldn't change
  any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part
  of the file name. This lets us skip duplicate data more quickly, speeding the
  combining step.

• Docs: added a section explaining more about what is considered a missing
  branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if
  COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: #​1597
.. _pull 2092: #​2092
.. _issue 2105: #​2105
.. _issue 2109: #​2109
.. _issue 2110: #​2110

.. _changes_7-13-0:

v7.13.0

Compare Source

• Feature: coverage.py now supports :file:.coveragerc.toml configuration
  files. These files use TOML syntax and take priority over
  :file:pyproject.toml but lower priority than :file:.coveragerc files.
  Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.

• Fix: we now include a permanent .pth file which is installed with the code,
  fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn't work
  when using the source wheel (py3-none-any). This is now fixed. Thanks,
  Henry Schreiner <pull 2100_>.

• Deprecated: when coverage.py is installed, it creates three command entry
  points: coverage, coverage3, and coverage-3.10 (if installed for
  Python 3.10). The second and third of these are not needed and will
  eventually be removed. They still work for now, but print a message about
  their deprecation.

.. _issue 1643: #​1643
.. _pull 1952: #​1952
.. _pull 2100: #​2100

.. _changes_7-12-1b1:

python-jsonschema/jsonschema (jsonschema)

v4.26.0

Compare Source

=======

• Decrease import time by delaying importing of urllib.request (#​1416).

jpadilla/pyjwt (pyjwt)

v2.12.1

Compare Source

Changed

- Migrate the ``dev``, ``docs``, and ``tests`` package extras to dependency groups by @&#8203;kurtmckee in `#&#8203;1152 <https://github.com/jpadilla/pyjwt/pull/1152>`__

`v2.12.1 <https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1>`__
------------------------------------------------------------------------

Fixed
~~~~~

- Add missing ``typing_extensions`` dependency for Python < 3.11 in `#&#8203;1150 <https://github.com/jpadilla/pyjwt/issues/1150>`__

`v2.12.0 <https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Annotate PyJWKSet.keys for pyright by @&#8203;tamird in `#&#8203;1134 <https://github.com/jpadilla/pyjwt/pull/1134>`__
- Close ``HTTPError`` response to prevent ``ResourceWarning`` on Python 3.14 by @&#8203;veeceey in `#&#8203;1133 <https://github.com/jpadilla/pyjwt/pull/1133>`__
- Do not keep ``algorithms`` dict in PyJWK instances by @&#8203;akx in `#&#8203;1143 <https://github.com/jpadilla/pyjwt/pull/1143>`__
- Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @&#8203;dmbs335 in `GHSA-752w-5fwx-jx9f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f>`__
- Use PyJWK algorithm when encoding without explicit algorithm in `#&#8203;1148 <https://github.com/jpadilla/pyjwt/pull/1148>`__

Added
~~~~~

- Docs: Add ``PyJWKClient`` API reference and document the two-tier caching system (JWK Set cache and signing key LRU cache).

`v2.11.0 <https://github.com/jpadilla/pyjwt/compare/2.10.1...2.11.0>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @&#8203;kurtmckee in `#&#8203;1105 <https://github.com/jpadilla/pyjwt/pull/1105>`__
- Validate key against allowed types for Algorithm family in `#&#8203;964 <https://github.com/jpadilla/pyjwt/pull/964>`__
- Add iterator for JWKSet in `#&#8203;1041 <https://github.com/jpadilla/pyjwt/pull/1041>`__
- Validate `iss` claim is a string during encoding and decoding by @&#8203;pachewise in `#&#8203;1040 <https://github.com/jpadilla/pyjwt/pull/1040>`__
- Improve typing/logic for `options` in decode, decode_complete by @&#8203;pachewise in `#&#8203;1045 <https://github.com/jpadilla/pyjwt/pull/1045>`__
- Declare float supported type for lifespan and timeout by @&#8203;nikitagashkov in `#&#8203;1068 <https://github.com/jpadilla/pyjwt/pull/1068>`__
- Fix ``SyntaxWarning``\s/``DeprecationWarning``\s caused by invalid escape sequences by @&#8203;kurtmckee in `#&#8203;1103 <https://github.com/jpadilla/pyjwt/pull/1103>`__
- Development: Build a shared wheel once to speed up test suite setup times by @&#8203;kurtmckee in `#&#8203;1114 <https://github.com/jpadilla/pyjwt/pull/1114>`__
- Development: Test type annotations across all supported Python versions,
  increase the strictness of the type checking, and remove the mypy pre-commit hook
  by @&#8203;kurtmckee in `#&#8203;1112 <https://github.com/jpadilla/pyjwt/pull/1112>`__

Added
~~~~~

- Support Python 3.14, and test against PyPy 3.10 and 3.11 by @&#8203;kurtmckee in `#&#8203;1104 <https://github.com/jpadilla/pyjwt/pull/1104>`__
- Development: Migrate to ``build`` to test package building in CI by @&#8203;kurtmckee in `#&#8203;1108 <https://github.com/jpadilla/pyjwt/pull/1108>`__
- Development: Improve coverage config and eliminate unused test suite code by @&#8203;kurtmckee in `#&#8203;1115 <https://github.com/jpadilla/pyjwt/pull/1115>`__
- Docs: Standardize CHANGELOG links to PRs by @&#8203;kurtmckee in `#&#8203;1110 <https://github.com/jpadilla/pyjwt/pull/1110>`__
- Docs: Fix Read the Docs builds by @&#8203;kurtmckee in `#&#8203;1111 <https://github.com/jpadilla/pyjwt/pull/1111>`__
- Docs: Add example of using leeway with nbf by @&#8203;djw8605 in `#&#8203;1034 <https://github.com/jpadilla/pyjwt/pull/1034>`__
- Docs: Refactored docs with ``autodoc``; added ``PyJWS`` and ``jwt.algorithms`` docs by @&#8203;pachewise in `#&#8203;1045 <https://github.com/jpadilla/pyjwt/pull/1045>`__
- Docs: Documentation improvements for "sub" and "jti" claims by @&#8203;cleder in `#&#8203;1088 <https://github.com/jpadilla/pyjwt/pull/1088>`__
- Development: Add pyupgrade as a pre-commit hook by @&#8203;kurtmckee in `#&#8203;1109 <https://github.com/jpadilla/pyjwt/pull/1109>`__
- Add minimum key length validation for HMAC and RSA keys (CWE-326).
  Warns by default via ``InsecureKeyLengthWarning`` when keys are below
  minimum recommended lengths per RFC 7518 Section 3.2 (HMAC) and
  NIST SP 800-131A (RSA). Pass ``enforce_minimum_key_length=True`` in
  options to ``PyJWT`` or ``PyJWS`` to raise ``InvalidKeyError`` instead.
- Refactor ``PyJWT`` to own an internal ``PyJWS`` instance instead of
  calling global ``api_jws`` functions.

`v2.10.1 <https://github.com/jpadilla/pyjwt/compare/2.10.0...2.10.1>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Prevent partial matching of `iss` claim by @&#8203;fabianbadoi in `GHSA-75c5-xw7c-p5pm <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm>`__

`v2.10.0 <https://github.com/jpadilla/pyjwt/compare/2.9.0...2.10.0>`__
-----------------------------------------------------------------------

Changed

• Remove algorithm requirement from JWT API, instead relying on JWS API for enforcement, by @​luhn in #&#8203;975 <https://github.com/jpadilla/pyjwt/pull/975>__

• Use Sequence for parameter types rather than List where applicable by @​imnotjames in #&#8203;970 <https://github.com/jpadilla/pyjwt/pull/970>__

• Add JWK support to JWT encode by @​luhn in #&#8203;979 <https://github.com/jpadilla/pyjwt/pull/979>__

• Encoding and decoding payloads using the none algorithm by @​jpadilla in #c2629f6 <https://github.com/jpadilla/pyjwt/commit/c2629f66c593459e02616048443231ccbe18be16>__

  Before:

  .. code-block:: pycon

  import jwt
  jwt.encode({"payload": "abc"}, key=None, algorithm=None)

  After:

  .. code-block:: pycon

  import jwt
  jwt.encode({"payload": "abc"}, key=None, algorithm="none")

• Added validation for 'sub' (subject) and 'jti' (JWT ID) claims in tokens by @​Divan009 in #&#8203;1005 <https://github.com/jpadilla/pyjwt/pull/1005>__

• Refactor project configuration files from setup.cfg to pyproject.toml by @​cleder in #&#8203;995 <https://github.com/jpadilla/pyjwt/pull/995>__

• Ruff linter and formatter changes by @​gagandeepp in #&#8203;1001 <https://github.com/jpadilla/pyjwt/pull/1001>__

• Drop support for Python 3.8 (EOL) by @​kkirsche in #&#8203;1007 <https://github.com/jpadilla/pyjwt/pull/1007>__

Fixed

- Encode EC keys with a fixed bit length by @&#8203;etianen in `#&#8203;990 <https://github.com/jpadilla/pyjwt/pull/990>`__
- Add an RTD config file to resolve Read the Docs build failures by @&#8203;kurtmckee in `#&#8203;977 <https://github.com/jpadilla/pyjwt/pull/977>`__
- Docs: Update ``iat`` exception docs by @&#8203;pachewise in `#&#8203;974 <https://github.com/jpadilla/pyjwt/pull/974>`__
- Docs: Fix ``decode_complete`` scope and algorithms by @&#8203;RbnRncn in `#&#8203;982 <https://github.com/jpadilla/pyjwt/pull/982>`__
- Fix doctest for ``docs/usage.rst`` by @&#8203;pachewise in `#&#8203;986 <https://github.com/jpadilla/pyjwt/pull/986>`__
- Fix ``test_utils.py`` not to xfail by @&#8203;pachewise in `#&#8203;987 <https://github.com/jpadilla/pyjwt/pull/987>`__
- Docs: Correct `jwt.decode` audience param doc expression by @&#8203;peter279k in `#&#8203;994 <https://github.com/jpadilla/pyjwt/pull/994>`__

Added

• Add support for python 3.13 by @​hugovk in #&#8203;972 <https://github.com/jpadilla/pyjwt/pull/972>__
• Create SECURITY.md by @​auvipy and @​jpadilla in #&#8203;973 <https://github.com/jpadilla/pyjwt/pull/973>__
• Docs: Add PS256 encoding and decoding usage by @​peter279k in #&#8203;992 <https://github.com/jpadilla/pyjwt/pull/992>__
• Docs: Add API docs for PyJWK by @​luhn in #&#8203;980 <https://github.com/jpadilla/pyjwt/pull/980>__
• Docs: Add EdDSA algorithm encoding/decoding usage by @​peter279k in #&#8203;993 <https://github.com/jpadilla/pyjwt/pull/993>__
• Include checkers and linters for pyproject.toml in pre-commit by @​cleder in #&#8203;1002 <https://github.com/jpadilla/pyjwt/pull/1002>__
• Docs: Add ES256 decoding usage by @​Gautam-Hegde in #&#8203;1003 <https://github.com/jpadilla/pyjwt/pull/1003>__

v2.12.0

Compare Source

Security

• Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @​dmbs335 in GHSA-752w-5fwx-jx9f

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1132
• chore(docs): fix docs build by @​tamird in #​1137
• Annotate PyJWKSet.keys for pyright by @​tamird in #​1134
• fix: close HTTPError to prevent ResourceWarning on Python 3.14 by @​veeceey in #​1133
• chore: remove superfluous constants by @​tamird in #​1136
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1135
• chore(tests): enable mypy by @​tamird in #​1138
• Bump actions/download-artifact from 7 to 8 by @​dependabot[bot] in #​1142
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1141
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1145
• fix: do not store reference to algorithms dict on PyJWK by @​akx in #​1143
• Use PyJWK algorithm when encoding without explicit algorithm by @​jpadilla in #​1148

New Contributors

• @​tamird made their first contribution in #​1137
• @​veeceey made their first contribution in #​1133

Full Changelog: jpadilla/pyjwt@2.11.0...2.12.0

v2.11.0

Compare Source

Fixed

Added

semgrep/semgrep (semgrep)

v1.156.0

Compare Source

### Changed

• The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

• Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
• Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
• Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

v1.155.0

Compare Source

### Added

• Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
• scala: Improved support for Scala 3's optional braces. (LANG-218)
• Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

### Changed

• Removed the experimental and undocumented command semgrep install-ci. (osemgrep-install-ci)

• Migrate from publishing a single Linux wheel with the platform tag musllinux_1_0_<arch>.manylinux2014_<arch> to publishing two separate wheels:

  • A wheel with the platform tag musllinux_1_0_
  • A wheel with the platform tag manylinux2014_

  (pypi-linux-tag)

### Fixed

• When performing parallel operations over a small number of input items, the
  engine no longer spawns more OCaml domains than we have items to process. This
  assists with resource utilisation. (engine-2588)
• Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
• Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the --secrets-timeout flag. (engine-2593)
• Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)

v1.154.0

### Fixed

• Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
• Changed default memory policy from "eager" to "balanced". Scan times should
  noticably improve; however, scans may use 5-10% additional memory. If running
  in a resource-constrained environment, consider setting the memory policy back
  to "aggressive". (engine-2055)
• When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k files). Semgrep will now parallelize this work according to the number of jobs passed (-j) (engine-2512)
• Fixed a performance issues where passing many scannign roots on the command
  line (e.g. semgrep scan $(git ls-files '*.py')) caused one semgrep-core
  subprocess to be spawned per file. Roots that are not directories are now
  handled directly in Python without any subprocess overhead. (gh-11404)
• Scala: Restored parse rate after mistaken bug introduced by implicit block parsing fix (lang-215)

v1.153.0

Compare Source

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

### Fixed

• Scala: Fixed a parsing bug where subsequent calls in an implicit block would not
  be considered at the same scope, e.g.

  def f (a: t) =
    foo()
    bar()
  ``` (lang-194)
  

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for
  a scan. There are two initial policies: "aggressive", the current behaviour,
  which trades longer scan times for lower memory use, and "balanced", which
  finds a middle ground between reclaiming heap memory in short order while
  limiting how often the garbage collector runs. The policy can be configured
  via the --x-mem-policy CLI flag for the pro engine; this flag is unused in
  the OSS engine. (engine-2055)

• Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

• Allows case insensitive string comparisons using lower() and upper() like this:

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

  (gh-11502)

• Blocking findings that are outputted in the CI output are now labelled as such. (#​4394)

### Changed

• pro: There should be fewer FNs when the max number of fields to track per object
  is reached. (code-9224)
• Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)

### Fixed

• pro: Improved accuracy of taint tracking through assignments, this will help
  reduce FPs in some cases. (code-9220)
• When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
  longer period of time before retrying the request, to spread out requests
  during periods of app instability. (engine-2550)

1.151.0 - 2026-02-04

Added

• Added progress indicators for symbol analysis calculation and upload during CI scans (sc-3103)

Fixed

• bumped glom to at least version 23.3, which includes a fix to a SyntaxWarning
  warning log. (gh-11460)
• Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't (loglines)
• Fixed the README not appearing in built wheels. (wheelreadme)

1.150.0 - 2026-01-29

Added

• Connecting to the Semgrep MCP server via streamableHttp now requires OAuth. (saf-2453)

Changed

• Migrated from pipenv to uv for ./cli package management (uv)

Fixed

• pro: Improved virtual method resolution in Scala (code-9213)
• Improved performance for supply chain scans by reducing pre-computation when printing the scan status. This results in slightly less information being displayed in the case that there are no rules to run. (gh-5436)
• Supply Chain Analysis: fixed version range matching for NPM packages with versions containing a prerelease identifier such as -alpha in 1.2.3-alpha. (sc-3001)

1.149.0 - 2026-01-21

Added

• Added a warning in --debug mode when a user runs a parallel scan with a larger
  value for -j/--jobs than the number of CPUs we detect the host has made
  available to Semgrep. Additionally, a suggested starting value for -j/--jobs
  is reported to give the user a place to start tuning their scan. (saf-2474)
• Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)

Changed

• The MCP server no longer supports SSE transport. (saf-2462)

Fixed

• pro: Improved virtual method resolution in Java (code-9210)
• pro: Improved virtual method resolution in Scala (code-9212)
• Improve performance of scan planning, a part of the Python CLI, by reducing
  the cost of re-hashing Target objects. Performance should improve on
  large repo scans proportionally to the number of files in the repo. (gh-5407)
• semgrep ci no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)

1.148.0 - 2026-01-14

Added

• Performance: subproject discovery in Supply Chain scans is no longer
  significantly slowed down by the presence of Git-untracked files
  resulting in faster diff scans in such cases. (sc-subproject-speedup)

Fixed

• pro: Improved virtual method resolution in Java (code-9174)
• pro: Improved handling of parse errors during inter-file analysis. Now, these
  errors should be adequately reported back to users and in the JSON output. (code-9216)
• Dataflow now accounts for Python for/else and while/else loops. (gh-8405)
• Fix rare "bad file descriptor" when performing Git operations on Windows (saf-2358)

1.147.0 - 2026-01-07

Added

• Gradle lockfiles of the form gradle*.lockfile are now supported. Previously, only lockfiles named exactly gradle.lockfile were supported. (SC-2999)
• semgrep login now supports a --force flag, which ignores existing tokens and starts a new login session. The MCP setup workflow has been updated to use --force too. (saf-2392)

Fixed

• Deduplication should now pick the exact same findings across scans. Previously,
  findings were always equivalent, but not guaranteed to be exactly the same
  (e.g. metavariable bindings could differ). Depending on the rule and target code,
  this could cause findings' fingerprints to change from one scan to another, thus
  leading to finding flakiness and "cycling" in Semgrep App. Note that when
  upgrading to this Semgrep version, you may see different (but equivalent) findings
  wrt your current Semgrep version in the first scan, one more time. However, in
  subsequent scans/upgrades, this problem should go away or at least be greatly
  reduced. (saf-2304)

1.146.0 - 2025-12-17

Added

• Added support for Cursor post-code-generation hooks via new record-file-edit and stop-cli-scan semgrep mcp flags (cursor-hooks)
• Added skipped_paths field to CI scan results to report files that failed to scan due to errors (timeout, OOM, etc.), preventing the app from incorrectly marking findings in those files as fixed (gh-5122)
• Symbol analysis, if enabled, now runs for Supply Chain only scans when calling semgrep ci. (sc-2927)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.22 to 3.23 (docker-version)
• bumped the mcp python-sdk from 1.16.0 to 1.23.3 (mcp-version)
• pro: [experimental] enabling and disabling transitive reachability
  analysis in semgrep ci regardless of app settings is now possible with
  --x-enable-transitive-reachability (or --x-tr)
  and --x-disable-transitive-reachability. (tr-flags)

Fixed

• The PHP AST now distinguishes between if statements with no else clause and those with an explicit but empty else {}. (gh-11330)
• git-lfs objects are now excluded from baseline scans, as they are usually binary files, or simply too large to scan. (saf-2020)
• Fix a OCaml stdlib bug that would cause nondeterministic UnixErrors on Windows under the multicore runtime due to a race condition in the socketpair implementation (saf-2316)
• Fixed an issue that in rare cases could lead timeouts to be mishandled. This typically manifested only through slightly different warning messages, but it is possible that more serious consequences could have occasionally resulted. (saf-2368)
• Fixed symbol analysis incorrectly analyzing all files instead of only the relevant language files per ecosystem. (sc-3020)

1.145.2 - 2025-12-12

No significant changes.

1.145.1 - 2025-12-11

No significant changes.

1.145.0 - 2025-12-04

Added

• Added optional user-prompting for classifying findings as true/false positives via MCP Elicitation in the MCP server (behind SEMGREP_FINDINGS_ELICITATION_ENABLED, off by default). (elicitation)
• Added hook to inject secure-by-default library recommendations into Claude Code Agent context. (secure-defaults-hook)

Changed

• Symbol analysis upload now runs before scan completion to ensure it is available during initial scan postprocessing. (sc-2933)

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
• The correct range for let ... in expressions in OCaml is now reported. Previously, the location of the let was omitted. This is mainly relevant for autofix. (ocaml-let)
• Debug log lines concerning telemetry collection that are only relevant inside
  Semgrep's managed scanning environment are not emitted if a scan runs outside
  that environment. (saf-2321)
• pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

1.144.1 - 2025-12-04

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
• pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

1.144.0 - 2025-11-19

Fixed

• pro: interfile scans no longer default to -j 1; instead, the number of
  available CPUs on the system is polled as part of a heuristic to determine how
  many threads should be spawned. (gh-4952)
• Semgrep will no longer rarely crash when --trace is passed. (incid-280)

1.143.3 - 2025-11-25

No significant changes.

1.143.2 - 2025-11-25

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)

1.143.1 - 2025-11-14

Fixed

• Semgrep will no longer rarely crash when --trace is passed. (incid-280)

1.143.0 - 2025-11-12

Added

• Dataflow will now understand empty block expressions as having unit value in
  more instances. (code-9141)
• Parallel scans will now use shared-memory parallelism using multicore OCaml
  domains, rather than the legacy fork-join approach. Users can opt into the
  legacy method with the --x-parmap CLI flag, and this deprecates the --x-eio
  flag (since it is now the default behaviour). (saf-2271)
• Add -k/ --hook flag to enable Semgrep scans via Claude Code Agent post-tool hooks (saf-2279)

Fixed

• When running semgrep scan or semgrep ci, the progress bar now always ends at 100%. (SAF-2079)
• Pro: fixed various bugs relating to Scala match expression handling in dataflow
  analysis (e.g., some branches being misordered, especially when matching
  multiple variables against non-integer literal patterns). (code-9144)
• Semgrep will now emit better error messages when exceptions are raised at the beginning or end of scan (exit-message)
• Enabled taint tracking into Goroutines, by treating them as regular Go function calls. (gh-11207)
• Fixed missing Rust type alias translation. We can now
  accurately match the () type in a type declaration. (gh-11283)
• fixed MCP semgrep_findings tool to accept single issue_type parameter and corrected identity string role parsing (saf-2282)

1.142.0 - 2025-10-30

Added

• Pro: improved taint handling of match expressions in Scala. In examples like

  val x = taint match {
      case Some(t) => t
      case None => return "example"
  }

  dataflow should now track taint from taint to x. (code-9085)
• pro: scala: http4s-specific support for case $M -> ... :? ... +& test +& ... => ... patterns. (code-9131)

Fixed

• Supply Chain subproject resolution table is now shown even when no subprojects were successfully resolved (SC-2492)
• UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies will be ignored. (SC-2888)
• Failures in parsing UV lockfiles are now correctly reported as "Failed" rather than "Unsupported" (SC-2895)
• build.gradle.kts files now resolve correctly when --allow-local-builds is passed. (SC-2899)
• Rule parsing in 1.139.0 was switched to happen solely in semgrep-core. This caused some users to exit with code 7, so this change has been reverted. (saf-2265)

v1.152.0

Compare Source

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

### Fixed

• Scala: Fixed a parsing bug where subsequent calls in an implicit block would not
  be considered at the same scope, e.g.

  def f (a: t) =
    foo()
    bar()
  ``` (lang-194)
  

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for
  a scan. There are two initial policies: "aggressive", the current behaviour,
  which trades longer scan times for lower memory use, and "balanced", which
  finds a middle ground between reclaiming heap memory in short order while
  limiting how often the garbage collector runs. The policy can be configured
  via the --x-mem-policy CLI flag for the pro engine; this flag is unused in
  the OSS engine. (engine-2055)

• Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

• Allows case insensitive string comparisons using lower() and upper() like this:

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

  (gh-11502)

• Blocking findings that are outputted in the CI output are now labelled as such. (#​4394)

### Changed

• pro: There should be fewer FNs when the max number of fields to track per object
  is reached. (code-9224)
• Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)

### Fixed

• pro: Improved accuracy of taint tracking through assignments, this will help
  reduce FPs in some cases. (code-9220)
• When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
  longer period of time before retrying the request, to spread out requests
  during periods of app instability. (engine-2550)

1.151.0 - 2026-02-04

Added

• Added progress indicators for symbol analysis calculation and upload during CI scans (sc-3103)

Fixed

• bumped glom to at least version 23.3, which includes a fix to a SyntaxWarning
  warning log. (gh-11460)
• Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't (loglines)
• Fixed the README not appearing in built wheels. (wheelreadme)

1.150.0 - 2026-01-29

Added

• Connecting to the Semgrep MCP server via streamableHttp now requires OAuth. (saf-2453)

Changed

• Migrated from pipenv to uv for ./cli package management (uv)

Fixed

• pro: Improved virtual method resolution in Scala (code-9213)
• Improved performance for supply chain scans by reducing pre-computation when printing the scan status. This results in slightly less information being displayed in the case that there are no rules to run. (gh-5436)
• Supply Chain Analysis: fixed version range matching for NPM packages with versions containing a prerelease identifier such as -alpha in 1.2.3-alpha. (sc-3001)

1.149.0 - 2026-01-21

Added

• Added a warning in --debug mode when a user runs a parallel scan with a larger
  value for -j/--jobs than the number of CPUs we detect the host has made
  available to Semgrep. Additionally, a suggested starting value for -j/--jobs
  is reported to give the user a place to start tuning their scan. (saf-2474)
• Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)

Changed

• The MCP server no longer supports SSE transport. (saf-2462)

Fixed

• pro: Improved virtual method resolution in Java (code-9210)
• pro: Improved virtual method resolution in Scala (code-9212)
• Improve performance of scan planning, a part of the Python CLI, by reducing
  the cost of re-hashing Target objects. Performance should improve on
  large repo scans proportionally to the number of files in the repo. (gh-5407)
• semgrep ci no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)

1.148.0 - 2026-01-14

Added

• Performance: subproject discovery in Supply Chain scans is no longer
  significantly slowed down by the presence of Git-untracked files
  resulting in faster diff scans in such cases. (sc-subproject-speedup)

Fixed

• pro: Improved virtual method resolution in Java (code-9174)
• pro: Improved handling of parse errors during inter-file analysis. Now, these
  errors should be adequately reported back to users and in the JSON output. (code-9216)
• Dataflow now accounts for Python for/else and while/else loops. (gh-8405)
• Fix rare "bad file descriptor" when performing Git operations on Windows (saf-2358)

1.147.0 - 2026-01-07

Added

• Gradle lockfiles of the form gradle*.lockfile are now supported. Previously, only lockfiles named exactly gradle.lockfile were supported. (SC-2999)
• semgrep login now supports a --force flag, which ignores existing tokens and starts a new login session. The MCP setup workflow has been updated to use --force too. (saf-2392)

Fixed

• Deduplication should now pick the exact same findings across scans. Previously,
  findings were always equivalent, but not guaranteed to be exactly the same
  (e.g. metavariable bindings could differ). Depending on the rule and target code,
  this could cause findings' fingerprints to change from one scan to another, thus
  leading to finding flakiness and "cycling" in Semgrep App. Note that when
  upgrading to this Semgrep version, you may see different (but equivalent) findings
  wrt your current Semgrep version in the first scan, one more time. However, in
  subsequent scans/upgrades, this problem should go away or at least be greatly
  reduced. (saf-2304)

1.146.0 - 2025-12-17

Added

• Added support for Cursor post-code-generation hooks via new record-file-edit and stop-cli-scan semgrep mcp flags (cursor-hooks)
• Added skipped_paths field to CI scan results to report files that failed to scan due to errors (timeout, OOM, etc.), preventing the app from incorrectly marking findings in those files as fixed (gh-5122)
• Symbol analysis, if enabled, now runs for Supply Chain only scans when calling semgrep ci. (sc-2927)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.22 to 3.23 (docker-version)
• bumped the mcp python-sdk from 1.16.0 to 1.23.3 (mcp-version)
• pro: [experimental] enabling and disabling transitive reachability
  analysis in semgrep ci regardless of app settings is now possible with
  --x-enable-transitive-reachability (or --x-tr)
  and --x-disable-transitive-reachability. (tr-flags)

Fixed

• The PHP AST now distinguishes between if statements with no else clause and those with an explicit but empty else {}. (gh-11330)
• git-lfs objects are now excluded from baseline scans, as they are usually binary files, or simply too large to scan. (saf-2020)
• Fix a OCaml stdlib bug that would cause nondeterministic UnixErrors on Windows under the multicore runtime due to a race condition in the socketpair implementation (saf-2316)
• Fixed an issue that in rare cases could lead timeouts to be mishandled. This typically manifested only through slightly different warning messages, but it is possible that more serious consequences could have occasionally resulted. (saf-2368)
• Fixed symbol analysis incorrectly analyzing all files instead of only the relevant language files per ecosystem. (sc-3020)

1.145.2 - 2025-12-12

No significant changes.

1.145.1 - 2025-12-11

No significant changes.

1.145.0 - 2025-12-04

Added

• Added optional user-prompting for classifying findings as true/false positives via MCP Elicitation in the MCP server (behind SEMGREP_FINDINGS_ELICITATION_ENABLED, off by default). (elicitation)
• Added hook to inject secure-by-default library recommendations into Claude Code Agent context. (secure-defaults-hook)

Changed

• Symbol analysis upload now runs before scan completion to ensure it is available during initial scan postprocessing. (sc-2933)

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
• The correct range for let ... in expressions in OCaml is now reported. Previously, the location of the let was omitted. This is mainly relevant for autofix. (ocaml-let)
• Debug log lines concerning telemetry collection that are only relevant inside
  Semgrep's managed scanning environment are not emitted if a scan runs outside
  that environment. (saf-2321)
• pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

1.144.1 - 2025-12-04

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
• pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

1.144.0 - 2025-11-19

Fixed

• pro: interfile scans no longer default to -j 1; instead, the number of
  available CPUs on the system is polled as part of a heuristic to determine how
  many threads should be spawned. (gh-4952)
• Semgrep will no longer rarely crash when --trace is passed. (incid-280)

1.143.3 - 2025-11-25

No significant changes.

1.143.2 - 2025-11-25

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)

1.143.1 - 2025-11-14

Fixed

• Semgrep will no longer rarely crash when --trace is passed. (incid-280)

1.143.0 - 2025-11-12

Added

• Dataflow will now understand empty block expressions as having unit value in
  more instances. (code-9141)
• Parallel scans will now use shared-memory parallelism using multicore OCaml
  domains, rather than the legacy fork-join approach. Users can opt into the
  legacy method with the --x-parmap CLI flag, and this deprecates the --x-eio
  flag (since it is now the default behaviour). (saf-2271)
• Add -k/ --hook flag to enable Semgrep scans via Claude Code Agent post-tool hooks (saf-2279)

Fixed

• When running semgrep scan or semgrep ci, the progress bar now always ends at 100%. (SAF-2079)
• Pro: fixed various bugs relating to Scala match expression handling in dataflow
  analysis (e.g., some branches being misordered, especially when matching
  multiple variables against non-integer literal patterns). (code-9144)
• Semgrep will now emit better error messages when exceptions are raised at the beginning or end of scan (exit-message)
• Enabled taint tracking into Goroutines, by treating them as regular Go function calls. (gh-11207)
• Fixed missing Rust type alias translation. We can now
  accurately match the () type in a type declaration. (gh-11283)
• fixed MCP semgrep_findings tool to accept single issue_type parameter and corrected identity string role parsing (saf-2282)

1.142.0 - 2025-10-30

Added

• Pro: improved taint handling of match expressions in Scala. In examples like

  val x = taint match {
      case Some(t) => t
      case None => return "example"
  }

  dataflow should now track taint from taint to x. (code-9085)
• pro: scala: http4s-specific support for case $M -> ... :? ... +& test +& ... => ... patterns. (code-9131)

Fixed

• Supply Chain subproject resolution table is now shown even when no subprojects were successfully resolved (SC-2492)
• UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies will be ignored. (SC-2888)
• Failures in parsing UV lockfiles are now correctly reported as "Failed" rather than "Unsupported" (SC-2895)
• build.gradle.kts files now resolve correctly when --allow-local-builds is passed. (SC-2899)
• Rule parsing in 1.139.0 was switched to happen solely in semgrep-core. This caused some users to exit with code 7, so this change has been reverted. (saf-2265)

v1.151.0

Compare Source

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud