Skip to content

chore(deps)(deps): bump the evaluator-deps group in /scripts/aidlc-evaluator with 4 updates#257

Merged
mayakost merged 2 commits into
mainfrom
dependabot/uv/scripts/aidlc-evaluator/evaluator-deps-86d83405d2
May 11, 2026
Merged

chore(deps)(deps): bump the evaluator-deps group in /scripts/aidlc-evaluator with 4 updates#257
mayakost merged 2 commits into
mainfrom
dependabot/uv/scripts/aidlc-evaluator/evaluator-deps-86d83405d2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 9, 2026

Bumps the evaluator-deps group in /scripts/aidlc-evaluator with 4 updates: boto3, semgrep, strands-agents and strands-agents-tools.

Updates boto3 from 1.43.2 to 1.43.6

Commits

Updates semgrep from 1.161.0 to 1.162.0

Release notes

Sourced from semgrep's releases.

Release v1.162.0

1.162.0 - 2026-05-07

### Added

  • pro: Improved support for tracking taint through nested functions. (LANG-95)
  • Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)

### Changed

  • Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
  • Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
  • MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)

### Fixed

  • jsonnet: import and importstr now reject paths that resolve outside the rule file's parent directory. (ENGINE-2727)
  • semgrep ci: redact URL-embedded credentials and Authorization header values from git error messages and from the captured tracebacks sent to the fail-open telemetry endpoint, preventing leaks of secrets like CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
  • semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
  • semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
  • jsonnet rules: bound recursion in both rule loading and evaluation so a malicious rule can no longer hang semgrep via mutually-recursive imports or runtime function calls that recurse forever. (ENGINE-2727-dos)
  • Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
  • Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
  • Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
  • Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
  • Fixed unknown option error when spawning the MCP daemon (gh-11660)
Changelog

Sourced from semgrep's changelog.

1.162.0 - 2026-05-07

### Added

  • pro: Improved support for tracking taint through nested functions. (LANG-95)
  • Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)

### Changed

  • Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
  • Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
  • MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)

### Fixed

  • jsonnet: import and importstr now reject paths that resolve outside the rule file's parent directory. (ENGINE-2727)
  • semgrep ci: redact URL-embedded credentials and Authorization header values from git error messages and from the captured tracebacks sent to the fail-open telemetry endpoint, preventing leaks of secrets like CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
  • semgrep ci no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
  • semgrep CLI: the on-disk log file (~/.semgrep/semgrep.log or $SEMGREP_LOG_FILE) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass --debug to restore the previous behavior. (ENGINE-2730)
  • jsonnet rules: bound recursion in both rule loading and evaluation so a malicious rule can no longer hang semgrep via mutually-recursive imports or runtime function calls that recurse forever. (ENGINE-2727-dos)
  • Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
  • Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
  • Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
  • Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
  • Fixed unknown option error when spawning the MCP daemon (gh-11660)
Commits
  • f353aa4 chore: release version 1.162.0
  • 46aa0f4semgrep/semgrep-proprietary#6254
  • db71a66 logging: do not log debug lines to disk without --debug (semgrep/semgrep-prop...
  • f6a11d7 Revert "feat(logging): always log with debug level to a file" unit test (semg...
  • a77b88d Revert "logging: do not log debug lines to disk without --debug" (semgrep/sem...
  • b78e3b3semgrep/semgrep-proprietary#6218
  • 8506fd7 fix(mcp): allow semgrep_findings to query other branches and unrated findings...
  • ffd9b97 fix: throw an MCP error when metrics are off and auto config is used (semgrep...
  • 33f6e6dsemgrep/semgrep-proprietary#6241
  • 89d279esemgrep/semgrep-proprietary#6217
  • Additional commits viewable in compare view

Updates strands-agents from 1.26.0 to 1.39.0

Release notes

Sourced from strands-agents's releases.

v1.39.0

What's Changed

New Contributors

Full Changelog: strands-agents/sdk-python@v1.38.0...v1.39.0

v1.38.0

What's Changed

New Contributors

... (truncated)

Commits
  • ead3179 fix: integration test updates (#2262)
  • fc386a3 feat(a2a): implement full A2A task lifecycle state support (#2245)
  • 980bc91 fix: correct MCPClient.exit and stop() type annotations (#2248)
  • 800e7c4 feat: add useNativeTokenCount flag to skip token counting API calls (#2255)
  • 6b0df9a fix: cache unsupported models for bedrocks token counting (#2250)
  • d94d516 fix: fix count tokens for bedrock models (#2254)
  • 559b2a0 feat: add context window limit lookup table (#2249)
  • 8638fc2 fix: include root cause in MCPClientInitializationError message (#2238)
  • a245e6d feat: enable openai provider use aws profile (#2230)
  • 6e208a8 feat(bedrock): add strict_tools config with auto-inject of additional… (#2213)
  • Additional commits viewable in compare view

Updates strands-agents-tools from 0.2.23 to 0.5.2

Release notes

Sourced from strands-agents-tools's releases.

v0.5.2

What's Changed

New Contributors

Full Changelog: strands-agents/tools@v0.5.1...v0.5.2

v0.5.1

What's Changed

Full Changelog: strands-agents/tools@v0.5.0...v0.5.1

v0.5.0

What's Changed

New Contributors

Full Changelog: strands-agents/tools@v0.4.1...v0.4.2

What's Changed

New Contributors

Full Changelog: strands-agents/tools@v0.4.1...v0.5.0

v0.4.1

What's Changed

Full Changelog: strands-agents/tools@v0.4.0...v0.4.1

What's Changed

Full Changelog: strands-agents/tools@v0.4.0...v0.4.1

v0.4.0

What's Changed

... (truncated)

Commits
  • d5376f0 fix(shell): close PTY file descriptor to prevent resource leak (#369)
  • 4ab97ef feat(exa): add highlights, max_age_hours, instant search type, and new catego...
  • 4de42a0 fix(rss): prevent path traversal via unvalidated feed_id in get_feed_file_pat...
  • 34146fe docs: update repository guidelines for new tools policy (#445)
  • e172b1b fix: add namespace validation and fix TOCTOU in elasticsearch memory … (#447)
  • 53851d8 feat(exa): remove deprecated neural/keyword search types, add deep (#411)
  • cbb9010 fix: use console util to allow output suppression (#436)
  • a2b9553 fix: mem0_memory - Replace direct Console initialization with console_util (#...
  • b0c8f30 docs: add use_agent, graph, and elasticsearch_memory to README (#431)
  • 0af4fd7 fix: add info-level logging when auth token is resolved from environment vari...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps)(deps): bump the evaluator-deps group
2ed8467 
Bumps the evaluator-deps group in /scripts/aidlc-evaluator with 4 updates: [boto3](https://github.com/boto/boto3), [semgrep](https://github.com/semgrep/semgrep), [strands-agents](https://github.com/strands-agents/sdk-python) and [strands-agents-tools](https://github.com/strands-agents/tools).


Updates `boto3` from 1.43.2 to 1.43.6
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.43.2...1.43.6)

Updates `semgrep` from 1.161.0 to 1.162.0
- [Release notes](https://github.com/semgrep/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.161.0...v1.162.0)

Updates `strands-agents` from 1.26.0 to 1.39.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](strands-agents/sdk-python@v1.26.0...v1.39.0)

Updates `strands-agents-tools` from 0.2.23 to 0.5.2
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](strands-agents/tools@v0.2.23...v0.5.2)

---
updated-dependencies:
- dependency-name: boto3
  dependency-version: 1.43.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: evaluator-deps
- dependency-name: semgrep
  dependency-version: 1.162.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: evaluator-deps
- dependency-name: strands-agents
  dependency-version: 1.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: evaluator-deps
- dependency-name: strands-agents-tools
  dependency-version: 0.5.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: evaluator-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 9, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 9, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 9, 2026 12:28
Kalindi-Dev
Kalindi-Dev approved these changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Kalindi-Dev Kalindi-Dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mayakost mayakost added this pull request to the merge queue May 11, 2026
Merged via the queue into main with commit 6cd8d37 May 11, 2026
21 checks passed
@mayakost mayakost deleted the dependabot/uv/scripts/aidlc-evaluator/evaluator-deps-86d83405d2 branch May 11, 2026 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mayakost mayakost mayakost approved these changes

@Kalindi-Dev Kalindi-Dev Kalindi-Dev approved these changes

@scottschreckengaust scottschreckengaust Awaiting requested review from scottschreckengaust scottschreckengaust is a code owner automatically assigned from awslabs/aidlc-admins

@spraja08 spraja08 Awaiting requested review from spraja08 spraja08 is a code owner automatically assigned from awslabs/aidlc-admins

@leandrodamascena leandrodamascena Awaiting requested review from leandrodamascena leandrodamascena is a code owner automatically assigned from awslabs/aidlc-admins

@harmjeff harmjeff Awaiting requested review from harmjeff harmjeff is a code owner automatically assigned from awslabs/aidlc-admins

@raj-jain-aws raj-jain-aws Awaiting requested review from raj-jain-aws raj-jain-aws is a code owner automatically assigned from awslabs/aidlc-admins

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mayakost @Kalindi-Dev