chore(deps): bump semgrep from 1.151.0 to 1.154.0

[dependabot]

Bumps semgrep from 1.151.0 to 1.154.0.

Release notes

Sourced from semgrep's releases.

Release v1.154.0

1.154.0 - 2026-03-04

### Fixed

• Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
• Changed default memory policy from "eager" to "balanced". Scan times should noticably improve; however, scans may use 5-10% additional memory. If running in a resource-constrained environment, consider setting the memory policy back to "aggressive". (engine-2055)
• When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k files). Semgrep will now parallelize this work according to the number of jobs passed (-j) (engine-2512)
• Fixed a performance issues where passing many scannign roots on the command line (e.g. semgrep scan $(git ls-files '*.py')) caused one semgrep-core subprocess to be spawned per file. Roots that are not directories are now handled directly in Python without any subprocess overhead. (gh-11404)
• Scala: Restored parse rate after mistaken bug introduced by implicit block parsing fix (lang-215)

Release v1.153.0

1.153.0 - 2026-02-25

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

### Fixed

• Scala: Fixed a parsing bug where subsequent calls in an implicit block would not be considered at the same scope, e.g.

  def f (a: t) =
    foo()
    bar()
  ``` (lang-194)
  

Release v1.152.0

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for a scan. There are two initial policies: "aggressive", the current behaviour, which trades longer scan times for lower memory use, and "balanced", which finds a middle ground between reclaiming heap memory in short order while limiting how often the garbage collector runs. The policy can be configured

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.154.0 - 2026-03-04

### Fixed

• Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
• Changed default memory policy from "eager" to "balanced". Scan times should noticably improve; however, scans may use 5-10% additional memory. If running in a resource-constrained environment, consider setting the memory policy back to "aggressive". (engine-2055)
• When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k files). Semgrep will now parallelize this work according to the number of jobs passed (-j) (engine-2512)
• Fixed a performance issues where passing many scannign roots on the command line (e.g. semgrep scan $(git ls-files '*.py')) caused one semgrep-core subprocess to be spawned per file. Roots that are not directories are now handled directly in Python without any subprocess overhead. (gh-11404)
• Scala: Restored parse rate after mistaken bug introduced by implicit block parsing fix (lang-215)

1.153.0 - 2026-02-25

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

### Fixed

• Scala: Fixed a parsing bug where subsequent calls in an implicit block would not be considered at the same scope, e.g.

  def f (a: t) =
    foo()
    bar()
  ``` (lang-194)
  

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for a scan. There are two initial policies: "aggressive", the current behaviour, which trades longer scan times for lower memory use, and "balanced", which finds a middle ground between reclaiming heap memory in short order while limiting how often the garbage collector runs. The policy can be configured via the --x-mem-policy CLI flag for the pro engine; this flag is unused in

... (truncated)

Commits

• ad97ed8 chore: release version 1.154.0
• 1e89d1bsemgrep/semgrep-proprietary#5755
• 33b9aecsemgrep/semgrep-proprietary#5743
• dcd6f92semgrep/semgrep-proprietary#5720
• 1b330b6semgrep/semgrep-proprietary#5738
• ace4f7a chore: add upper bound to ambient-context-lwt & update opam-lockfiles (semg...
• 52607df ci: Use paginate argument to gh apisemgrep/semgrep-proprietary#5679
• 7def827 windows: win_spawn_pysemgrep returns Exit_code.t rather than throwing exn (se...
• 8b3191fsemgrep/semgrep-proprietary#5744
• 01fc2d8 fix(targeting): skip subprocess spawn for file scanning roots when root is a ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)