chore(deps): bump semgrep from 1.151.0 to 1.159.0

[dependabot]

Bumps semgrep from 1.151.0 to 1.159.0.

Release notes

Sourced from semgrep's releases.

Release v1.159.0

1.159.0 - 2026-04-10

### Fixed

• Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)

Release v1.158.0

1.158.0 - 2026-04-09

### Added

• Added support for a supply chain hook for the Semgrep Plugin (supply-chain-hook)
• Computing taint configs, ~1/4-1/2 of the semgrep-core time in interfile scans, is now done in parallel according to the number of jobs (ENGINE-2649)
• Semgrep Pro interfile engine (--pro) taint analysis has been redesigned, significantly improving performance (estimated 20-40% improvement). This improvement introduces a slight change in how findings are generated, that may result in more true positives, or less false positives. To revert to previous behavior, pass --no-x-run-taint-once as a flag. (engine-2468)

### Changed

• semgrep-core macOS binaries are now dynamically linked to the system's libraries. (macos-binary-build)
• semgrep-core manylinux binaries are now dynamically linked to the system's glibc on glibc systems. This introduces a minimum glibc version requirement of >=2.35, which is satisfied in Ubuntu >=22.04, Debian >=12, RHEL >=10, and other glibc distributions with at least glibc 2.35. Linux systems running an older glibc will need to upgrade their OS. (manylinux-binary-build)
• The manylinux wheel is now tagged as manylinux_2_35_, reflecting a minimum requirement of glibc version 2.35. (manylinux-wheel-tag)
• semgrep-core musllinux binaries are now dynamically linked to the system's musl libc on musl systems. (musllinux-binary-build)
• The musllinux PyPI wheel is now tagged as musllinux_1_2_, reflecting a requirement of musl libc version 1.2. (musllinux-wheel-tag)
• The LSP and MCP servers now use the v2 config download endpoint by default when fetching rules from Semgrep AppSec Platform. Set SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1 to fall back to the legacy endpoint. (SMS-2284)

### Fixed

• Fixed IDE login issues where network errors during token verification were incorrectly clearing the saved token. The LSP now distinguishes 401 Unauthorized (invalid token) from other errors (e.g. network failures), surfacing appropriate messages instead. (ide-login)
• Fixed SARIF taint trace output: step locations now use the correct file URI, and the full taint sink call trace is included in codeFlows. (engine-2570)
• The --x-mem-policy flag now propagates to the RPC subprocess, fixing memory tuning for dependency resolution and other RPC-based operations. (pylon-20772)

Release v1.157.0

1.157.0 - 2026-03-31

### Added

• pro: Improved taint tracking through lambda calls. (LANG-268)
• It is now possible to match a class name like in $C.getInstance(...), and then use metavariable-type on $C to check its type. (LANG-271)
• pro: Improve cross-file taint tracking for globals. (LANG-275)

### Changed

• Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
• pro: Improved golang module resolution. (code-9225)
• Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)

### Fixed

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.159.0 - 2026-04-10

### Fixed

• Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)

1.158.0 - 2026-04-09

### Added

• Added support for a supply chain hook for the Semgrep Plugin (supply-chain-hook)
• Computing taint configs, ~1/4-1/2 of the semgrep-core time in interfile scans, is now done in parallel according to the number of jobs (ENGINE-2649)
• Semgrep Pro interfile engine (--pro) taint analysis has been redesigned, significantly improving performance (estimated 20-40% improvement). This improvement introduces a slight change in how findings are generated, that may result in more true positives, or less false positives. To revert to previous behavior, pass --no-x-run-taint-once as a flag. (engine-2468)

### Changed

• semgrep-core macOS binaries are now dynamically linked to the system's libraries. (macos-binary-build)
• semgrep-core manylinux binaries are now dynamically linked to the system's glibc on glibc systems. This introduces a minimum glibc version requirement of >=2.35, which is satisfied in Ubuntu >=22.04, Debian >=12, RHEL >=10, and other glibc distributions with at least glibc 2.35. Linux systems running an older glibc will need to upgrade their OS. (manylinux-binary-build)
• The manylinux wheel is now tagged as manylinux_2_35_, reflecting a minimum requirement of glibc version 2.35. (manylinux-wheel-tag)
• semgrep-core musllinux binaries are now dynamically linked to the system's musl libc on musl systems. (musllinux-binary-build)
• The musllinux PyPI wheel is now tagged as musllinux_1_2_, reflecting a requirement of musl libc version 1.2. (musllinux-wheel-tag)
• The LSP and MCP servers now use the v2 config download endpoint by default when fetching rules from Semgrep AppSec Platform. Set SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1 to fall back to the legacy endpoint. (SMS-2284)

### Fixed

• Fixed IDE login issues where network errors during token verification were incorrectly clearing the saved token. The LSP now distinguishes 401 Unauthorized (invalid token) from other errors (e.g. network failures), surfacing appropriate messages instead. (ide-login)
• Fixed SARIF taint trace output: step locations now use the correct file URI, and the full taint sink call trace is included in codeFlows. (engine-2570)
• The --x-mem-policy flag now propagates to the RPC subprocess, fixing memory tuning for dependency resolution and other RPC-based operations. (pylon-20772)

1.157.0 - 2026-03-31

### Added

• pro: Improved taint tracking through lambda calls. (LANG-268)
• It is now possible to match a class name like in $C.getInstance(...), and then use metavariable-type on $C to check its type. (LANG-271)
• pro: Improve cross-file taint tracking for globals. (LANG-275)

### Changed

• Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
• pro: Improved golang module resolution. (code-9225)
• Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)

### Fixed

... (truncated)

Commits

• 372573a chore: release version 1.159.0
• ceb477csemgrep/semgrep-proprietary#6049
• 95713c8 fix: raise error when target discovery RPC fails instead of returning empty r...
• 85cd32bsemgrep/semgrep-proprietary#6
• 99d8d54semgrep/semgrep-proprietary#6041
• b4a9460semgrep/semgrep-proprietary#6043
• d94d38d chore(backend): download config using v2 backend (EIO) (semgrep/semgrep-propr...
• 4dfff3b refactor: Taint_rule_inst: separate mutable state from immutable (semgrep/sem...
• 8e94f57 fix(engine): Log specific customer data only at DEBUG (semgrep/semgrep-propri...
• 202232fsemgrep/semgrep-proprietary#6002
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)