chore(deps): bump semgrep from 1.113.0 to 1.140.0

[dependabot]

Bumps semgrep from 1.113.0 to 1.140.0.

Release notes

Sourced from semgrep's releases.

Release v1.140.0

1.140.0 - 2025-10-16

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated, persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use the MCP with the streamable-http tranport method. (saf-2264)

Release v1.139.0

1.139.0 - 2025-09-30

Added

• --pro-intrafile scans will now add built-in taint propagators, like --pro does, hence producing extra findings. For example, in Java, list.add(taint) will now make list tainted even if the rule does not explicitly request that. Scan times should not be generally affected in a significant way. (code-9103)
• Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
• Associate Containerfiles with the dockerfile language (gh-11091)

Changed

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.140.0 - 2025-10-16

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated, persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use the MCP with the streamable-http tranport method. (saf-2264)

1.139.0 - 2025-09-30

Added

• --pro-intrafile scans will now add built-in taint propagators, like --pro does, hence producing extra findings. For example, in Java, list.add(taint) will now make list tainted even if the rule does not explicitly request that. Scan times should not be generally affected in a significant way. (code-9103)
• Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
• Associate Containerfiles with the dockerfile language (gh-11091)

Changed

• Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#4346, #4269, #4379) (gh-4379)

... (truncated)

Commits

• 5a5d862 chore: release version 1.140.0
• e3c8e5esemgrep/semgrep-proprietary#4814
• 377c17csemgrep/semgrep-proprietary#4775
• 5b1e32bsemgrep/semgrep-proprietary#4780
• 2ef59b1 fix(mcp): fix resource closure in streamable-http (semgrep/semgrep-proprietar...
• 5dc037asemgrep/semgrep-proprietary#4790
• fa99b7bsemgrep/semgrep-proprietary#4789
• 104c857semgrep/semgrep-proprietary#4808
• a9b7ab6 Add OCaml end-to-end tests for transitive reachability (semgrep/semgrep-prop...
• 84a98b2 chore(ux): Avoid task failed successfully case for show subcommand (semgrep...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)