Sourced from semgrep's releases.

Release v1.93.0

1.93.0 - 2024-10-23

Added

• Improved naming for Common JS module imports (require) in arbitrary expression contexts. Notably, in-line use of require should now be linked to the correct module. For instance, the pattern foo.bar should now match against require('foo').bar and taint is likewise similarily tracked. (code-7485)
• Secrets: semgrep ci output now includes a list of all secrets rules which generated at least one blocking finding (similar to Code) (code-7663)
• Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
• Expanded support for pip requirement lockfiles is now available by default. Semgrep will now find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt). The existing experimental flag --enable-experimental-requirements is now deprecated and will be removed in a future release. (gh-2441)

Changed

• Removed support for Vue. The tree-sitter grammar has not been updated in 3 years, there was no community rules added and semgrep-vue is causing linking conflicts when compiling semgrep under Windows so just simpler to remove support for Vue. In theory, extract mode could be a good substitute to parse Vue files. (vue)

Fixed

• semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

Release v1.92.0

1.92.0 - 2024-10-17

Added

• Pro: taint-mode: Semgrep has now basic support to track taint through callbacks, when they lead to a sink, e.g.:

  function unsafe_callback(x) {
    sink(x); // finding here now !
  }
  function withCallback(val, callback) {
  
  callback(val);
  
  

... (truncated)

Sourced from semgrep's changelog.

1.93.0 - 2024-10-23

Added

• Improved naming for Common JS module imports (require) in arbitrary expression contexts. Notably, in-line use of require should now be linked to the correct module. For instance, the pattern foo.bar should now match against require('foo').bar and taint is likewise similarily tracked. (code-7485)
• Secrets: semgrep ci output now includes a list of all secrets rules which generated at least one blocking finding (similar to Code) (code-7663)
• Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
• Expanded support for pip requirement lockfiles is now available by default. Semgrep will now find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt). The existing experimental flag --enable-experimental-requirements is now deprecated and will be removed in a future release. (gh-2441)

Changed

• Removed support for Vue. The tree-sitter grammar has not been updated in 3 years, there was no community rules added and semgrep-vue is causing linking conflicts when compiling semgrep under Windows so just simpler to remove support for Vue. In theory, extract mode could be a good substitute to parse Vue files. (vue)

Fixed

• semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

1.92.0 - 2024-10-17

Added

• Pro: taint-mode: Semgrep has now basic support to track taint through callbacks, when they lead to a sink, e.g.:

  function unsafe_callback(x) {
    sink(x); // finding here now !
  }
  function withCallback(val, callback) {
  
  callback(val);
  
  }
  
  

... (truncated)

• 09228d4 chore: release version 1.93.0
• d79eed5semgrep/semgrep-proprietary#2464
• 67606f5semgrep/semgrep-proprietary#2424
• 5573c48 feat(scala): .apply() as newsemgrep/semgrep-proprietary#2457
• cfbb734 fix: reap parmap children and report exit codes (semgrep/semgrep-proprietary#...
• e19cf10semgrep/semgrep-proprietary#2454
• 88a15a0 refactor: Pos.t.file from string -> Fpath.t (and 3 new calls to the unified F...
• 227d4f7semgrep/semgrep-proprietary#2117
• 6377805semgrep/semgrep-proprietary#1881
• 0357124 chore: Notify semgrep-cli-release when develop has failing tests (semgrep/sem...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)