Release v1.128.0

1.128.0 - 2025-07-03

Added

• HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)

Fixed

• Java: Deprecated class $A partial class pattern, in favor of

  class $A { ... }
  ``` (safe-2104)
  

Release 1.127.1

• No new changes

Release v1.127.0

1.127.0 - 2025-06-24

Fixed

• pro: typescript: Prevent stack overflows and out-of-memory issues when reading
  TS configs. (code-8678)

Release v1.126.0

1.126.0 - 2025-06-18

Fixed

• Missing version constraints in yarn.lock descriptors no longer raise parsing errors (sc-2293)

Release v1.125.0

1.125.0 - 2025-06-11

Added

• Dependency resolution errors that result from local builds are now reported in the scan log by default. (SC-2442)
• Adds reporting of SSC subproject dependency resolution to the output when using --json. (SC-2458)
• Semgrep's JSON output now will always include some basic profiling data (WIP). (code-8529)
• C# Dependency Parsing can now handle dependencies with "Project" & "CentralTransitive" transitivities. (sc-2376)

Fixed

• Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)
• Added support for npm aliasing in package-lock.json, fixing a bug where packages would rarely be misidentified. (SC-2387)
• Fixed scenario where case statements with ellipsis did not match patterns correctly. (gh-10086)
• Nosemgrep ignore comments no longer require exactly one space before, allowing for more commenting styles. (gh-11041)
• Fixed bug where Javascript autofix breaks syntax for if statements by consuming parentheses. (gh-9522)
• Fix: the Semgrep findings returned by the Semgrep language server (LSP)
  are now sorted correctly based on their location within files.
  This benefits all the Semgrep IDE extensions (VSCode, IntelliJ). (ide-findings-order)
• fixed an issue where semgrep ci logs in GitLab would return an incorrect URL
  with the wrong &ref=... argument. (saf-959)

Release v1.124.0

1.124.0 - 2025-06-04

Added

• Parallelizes rule validation to improve performance when scanning with many rule files. (SAF-2061)
• Semgrep should now respect ALL_PROXY, HTTP_PROXY, HTTPS_PROXY,
  NO_PROXY, PROXY_USERNAME and PROXY_PASSWORD for all networking (including
  that done via the OCaml components). Moreover, the environment variable
  OCAML_EXTRA_CA_CERTS should now allow additional CA certs to be used for
  network operations done by OCaml components. (code-8157)

Fixed

• Stop attempting to parse build.gradle.kts files as build.gradle. (SC-2209)
• Taint rules using the experimental feature labels, and specifying sinks
  with a requires: of the form not A, could produce findings with an empty
  list of traces, potentially causing a crash. We now recognize the issue and
  prevent the crash from happening. (code-8531)
• Fixed inconsistency where the empty Python fstring f"" was not matched by the pattern "...". (gh-10047)
• Fixed bug where dev depenencies (and their dependencies, and so on) were incorrectly marked as "transitivity: unknown" when parsing package-lock.json projects, specifically v3 lockfiles. (gh-4003)
• Fixed scenario where a multiplication expression of ints was not considered an int. This will help with metavariable-type. Concretely, "2 * groups" was not considered an int, where groups is an int. Additionally adds type inference for mod, floor division, and pow. (gh-9855)
• pro: python: Fixed a regression that could (in rare cases) cause naming to take a
  disproportionate amount of time significantly slowing down scans. (saf-1978)

Release v1.124.1

What's Changed

• No new changes

Full Changelog: v1.124.0...v1.124.1

Release v1.123.0

1.123.0 - 2025-05-28

Fixed

• Fixed bug where supply chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable. (SC-2088)
• Fixed documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in. (gh-11028)

Release v1.122.0

1.122.0 - 2025-05-14

Added

• Adds support for the UV package manager in Supply Chain scans. (SC-1900)

Fixed

• pro: Fixed inter-file naming bug affecting Go's struct-methods that could result
  in false negatives.

  Previously, adding a pattern-inside like

  func ($THING $TYPE) $FUNC(...) $R { ... }
  

  to a taint rule could cause some findings to incorrectly stop being reported. (code-7767)

• PRO: Fixed the issue with type matching when a type has a type parameter, e.g., matching the pattern std::vector<$T> with the code std::vector<int> v in C++. (code-8443)

• Make Nuget dependency child parsing case insensitive (sc-2355)

• Fixed bug where direct dev depenencies were not marked as direct when parsing package-lock.json projects. (sc-dev)

Release v1.119.0

1.119.0 - 2025-04-16

Added

• python: Semgrep will now perform dataflow analysis within and through comprehensions. (saf-1560)
• A new subcommand semgrep show project-root is now provided to display
  the project root path associated with a scan root. This is useful for
  troubleshooting Semgrepignore (v2) issues. (saf-1936)

Fixed

• tainting: Apply taint_assume_safe_numbers and taint_assume_safe_booleans
  earlier when considering to track taint through class fields and function
  parameters. If the field/parameter has a number/Boolean type and the
  corresponding option is set, it will just not be tracked. In some cases this
  can help with performance.

  Also added short/Short to the list of integer types recognized by
  taint_assume_safe_numbers. (code-8345)

• IDE: The Semgrep VS Code Extension will no longer hang on Getting code actions from Semgrep...
  on saving a file, when updating rules. (saf-1954)