chore(deps): bump semgrep from 1.113.0 to 1.141.0

[dependabot]

Bumps semgrep from 1.113.0 to 1.141.0.

Release notes

Sourced from semgrep's releases.

Release v1.141.0

1.141.0 - 2025-10-23

Added

• pro: scala: http4s-specific support for $M -> ... / $X / ... patterns (code-9114)

Fixed

• Improved detection of implicitly returned expressions. Functions in some languages, such as Ruby and Scala, can return a value without an explicit return statement. More expressions, such as string interpolation, are now correctly identified as implicitly returned. (code-9101)
• Scala: Parser now accepts an $MVAR as a pattern alias (@), so e.g. case $X @ ... => ... is now a valid pattern. (code-9130)
• fixed an issue where CamlinternalLazy.Undefined would occur while using eio multicore (saf-1877)

Release v1.140.0

1.140.0 - 2025-10-16

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated, persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.141.0 - 2025-10-23

Added

• pro: scala: http4s-specific support for $M -> ... / $X / ... patterns (code-9114)

Fixed

• Improved detection of implicitly returned expressions. Functions in some languages, such as Ruby and Scala, can return a value without an explicit return statement. More expressions, such as string interpolation, are now correctly identified as implicitly returned. (code-9101)
• Scala: Parser now accepts an $MVAR as a pattern alias (@), so e.g. case $X @ ... => ... is now a valid pattern. (code-9130)
• fixed an issue where CamlinternalLazy.Undefined would occur while using eio multicore (saf-1877)

1.140.0 - 2025-10-16

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated, persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use the MCP with the streamable-http tranport method. (saf-2264)

... (truncated)

Commits

• 9f972b3 chore: release version 1.141.0
• 7b3932dsemgrep/semgrep-proprietary#4852
• 20ea293semgrep/semgrep-proprietary#4846
• 1b05518semgrep/semgrep-proprietary#4839
• 833ef9f scala: patterns: Allow an $MVAR as pattern alias (semgrep/semgrep-proprietary...
• 590b39bsemgrep/semgrep-proprietary#4783
• 919ed6c logs: Log the exit code of the RPC subprocess if it does not exit cleanly (se...
• a3bad6esemgrep/semgrep-proprietary#4794
• 417e133semgrep/semgrep-proprietary#4821
• e68513asemgrep/semgrep-proprietary#4697
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)