chore(deps): bump semgrep from 1.151.0 to 1.157.0

[dependabot]

Bumps semgrep from 1.151.0 to 1.157.0.

Release notes

Sourced from semgrep's releases.

Release v1.157.0

1.157.0 - 2026-03-31

### Added

• pro: Improved taint tracking through lambda calls. (LANG-268)
• It is now possible to match a class name like in $C.getInstance(...), and then use metavariable-type on $C to check its type. (LANG-271)
• pro: Improve cross-file taint tracking for globals. (LANG-275)

### Changed

• Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
• pro: Improved golang module resolution. (code-9225)
• Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)

### Fixed

• Fix Rust parsing of "&raw" where "raw" is an identifier. (rust-parser-updated)
• Errors during target file discovery (e.g., permission errors, git failures) are now surfaced as warnings instead of being silently ignored. (ENGINE-2627)
• kotlin: Fixed bug parsing FQNs in metavariable-type. (LANG-271)
• Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names. (SC-3379)
• Prevented certain deeply nested aliengrep matches from segfaulting semgrep-core. (engine-2628)
• Fix Python parsing for files that contains empty strings (or quotes in docstrings) along with match statements. (gh-11287)
• Fix rule paths.include/paths.exclude filtering when a single file is passed as a scan target. Previously, path patterns like '/src/test//*.java' would not match because only the filename was used for filtering instead of the full project-relative path. (gh-11560)
• Pro: Improved type resolution in Scala (lang-79)
• Pro: Improved call resolution in Scala for parameterless methods (lang-80)

Release v1.156.0

1.156.0 - 2026-03-17

### Changed

• The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

• Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
• Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
• Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

Release v1.155.0

1.155.0 - 2026-03-11

### Added

• Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
• scala: Improved support for Scala 3's optional braces. (LANG-218)
• Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.157.0 - 2026-03-31

### Added

• pro: Improved taint tracking through lambda calls. (LANG-268)
• It is now possible to match a class name like in $C.getInstance(...), and then use metavariable-type on $C to check its type. (LANG-271)
• pro: Improve cross-file taint tracking for globals. (LANG-275)

### Changed

• Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
• pro: Improved golang module resolution. (code-9225)
• Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)

### Fixed

• Fix Rust parsing of "&raw" where "raw" is an identifier. (rust-parser-updated)
• Errors during target file discovery (e.g., permission errors, git failures) are now surfaced as warnings instead of being silently ignored. (ENGINE-2627)
• kotlin: Fixed bug parsing FQNs in metavariable-type. (LANG-271)
• Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names. (SC-3379)
• Prevented certain deeply nested aliengrep matches from segfaulting semgrep-core. (engine-2628)
• Fix Python parsing for files that contains empty strings (or quotes in docstrings) along with match statements. (gh-11287)
• Fix rule paths.include/paths.exclude filtering when a single file is passed as a scan target. Previously, path patterns like '/src/test//*.java' would not match because only the filename was used for filtering instead of the full project-relative path. (gh-11560)
• Pro: Improved type resolution in Scala (lang-79)
• Pro: Improved call resolution in Scala for parameterless methods (lang-80)

1.156.0 - 2026-03-17

### Changed

• The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

• Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
• Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
• Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

1.155.0 - 2026-03-11

### Added

• Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
• scala: Improved support for Scala 3's optional braces. (LANG-218)
• Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

### Changed

... (truncated)

Commits

• caad1d5 chore: release version 1.157.0
• ff9063asemgrep/semgrep-proprietary#5996
• ba442a0 Update bump version script to account for exclude-newer line (semgrep/semgrep...
• b3d040f tainting: Defensively require real sources in findings (semgrep/semgrep-propr...
• 30674e0 Print unexpected diff in uv.lock during release (semgrep/semgrep-proprietary#...
• 78e46d4 pro: tainting: Add globals' inferred taints to input envs (semgrep/semgrep-pr...
• f915e9f chore: cleanup compute taint configs for parallel (semgrep/semgrep-proprietar...
• 9d2ce1dsemgrep/semgrep-proprietary#5985
• 93a2c71semgrep/semgrep-proprietary#5983
• aaafc5f chore(dist): add option to dump and restore scan config for distributed scans...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)