Release v1.132.0

1.132.0 - 2025-08-14

Added

• PHP: When enabling option taint_assume_safe_booleans the return values of
  boolval, is_bool, and || will be considered safe.
  When enabling taint_assume_safe_numbers the return values of intval,
  floatval, +, -, *, / and % will also be considered safe. (php)
• When performing secrets validation, the amount of time that the HTTP request
  took to complete will now be visible in the debug logs. (#2130)
• Introduces a timeout to internal HTTP requests, to prevent remote endpoints
  from indefinitely hanging the engine. (#4295)

Changed

• Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)

Fixed

• Language server: Made it so that errors which occur no longer pop up in while using the
  IDE. They still log, but will no longer be displayed via UX. (saf-2193)
• When validating the results of a secrets scan, do not have more than 256
  outstanding validators executing at a given time. (#2130)

v1.132.1

Full Changelog: v1.132.0...v1.132.1

Release v1.131.0

1.131.0 - 2025-07-30

Fixed

• Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a PR. (better-merge-base)
• Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
• When processing a target with debug logging enabled, we now only log the target
  path rather than the entire internal structure representation. This allows for
  more succinct log files and no longer introduces mid-entry newlines, which can
  break log-parsing tooling. (gh-4315)
• Language server: Fixed a bug which broke the Sign in command (saf-2151)
• CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
• Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)

Release v1.130.0

1.130.0 - 2025-07-23

Fixed

• Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)

Release v1.128.0

1.128.0 - 2025-07-03

Added

• HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)

Fixed

• Java: Deprecated class $A partial class pattern, in favor of

  class $A { ... }
  ``` (safe-2104)
  

Release 1.127.1

• No new changes

Release v1.127.0

1.127.0 - 2025-06-24

Fixed

• pro: typescript: Prevent stack overflows and out-of-memory issues when reading
  TS configs. (code-8678)

Release v1.128.1

1.128.1 - 2025-07-15

No changes were made

Release v1.126.0

1.126.0 - 2025-06-18

Fixed

• Missing version constraints in yarn.lock descriptors no longer raise parsing errors (sc-2293)

Release v1.125.0

1.125.0 - 2025-06-11

Added

• Dependency resolution errors that result from local builds are now reported in the scan log by default. (SC-2442)
• Adds reporting of SSC subproject dependency resolution to the output when using --json. (SC-2458)
• Semgrep's JSON output now will always include some basic profiling data (WIP). (code-8529)
• C# Dependency Parsing can now handle dependencies with "Project" & "CentralTransitive" transitivities. (sc-2376)

Fixed

• Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)
• Added support for npm aliasing in package-lock.json, fixing a bug where packages would rarely be misidentified. (SC-2387)
• Fixed scenario where case statements with ellipsis did not match patterns correctly. (gh-10086)
• Nosemgrep ignore comments no longer require exactly one space before, allowing for more commenting styles. (gh-11041)
• Fixed bug where Javascript autofix breaks syntax for if statements by consuming parentheses. (gh-9522)
• Fix: the Semgrep findings returned by the Semgrep language server (LSP)
  are now sorted correctly based on their location within files.
  This benefits all the Semgrep IDE extensions (VSCode, IntelliJ). (ide-findings-order)
• fixed an issue where semgrep ci logs in GitLab would return an incorrect URL
  with the wrong &ref=... argument. (saf-959)