search

airtai / faststream

FastStream is a powerful and easy-to-use Python framework for building asynchronous services interacting with event streams such as Apache Kafka, RabbitMQ, NATS and Redis.
https://faststream.airt.ai/latest/
Apache License 2.0
2.5k stars 128 forks source link

chore(deps): bump semgrep from 1.75.0 to 1.76.0 #1554

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 3 months ago

Bumps semgrep from 1.75.0 to 1.76.0.

Release notes

Sourced from semgrep's releases.

Release v1.76.0

1.76.0 - 2024-06-17

Added

  • Added type inference support for basic operators in the Pro engine, including +, -, *, /, >, >=, <=, <, ==, !=, and not. For numeric computation operators such as + and -, if the left-hand side and right-hand side types are equal, the return type is assumed to be the same. Additionally, comparison operators like > and ==, as well as the negation operator not, are assumed to return a boolean type. (code-6940)

  • Added guidance for resolving token issues for install-semgrep-pro in non-interactive environments. (gh-1668)

  • Adds support for a new flag, --subdir <path>, for semgrep ci, which allows users to pass a subdirectory to scan instead of the entire directory. The path should be a relative path, and the directory where semgrep ci is run should be the root of the repository being scanned. Unless SEMGREP_REPO_DISPLAY_NAME is explicitly set, passing the subdirectory will cause the results to go to a project specific to that subdirectory.

    The intended use case for semgrep ci --subdir path/to/dir is to help users with very large repos scan the repo in parts. (saf-1056)

Fixed

  • Language Server will now send error messages properly, and error handling is greatly improved (cdx-502)

  • Pro: Calling a safe method on a tainted object should no longer propagate taint.

    Example:

    class A {
    String foo(String str) {
        return "ok";
    }
}

    class Test {
public static void test() {
A a;
String s;
a = taint();
// Despite a is tainted, a.foo() is entirely safe !!!
s = a.foo("bar");
sink(s); // No more FP here
}
} (code-6935)

  • Fixing errors in matching identifiers from wildcard imports. For example, this update addresses the issue where the following top-level assignment:

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.76.0 - 2024-06-17

Added

  • Added type inference support for basic operators in the Pro engine, including +, -, *, /, >, >=, <=, <, ==, !=, and not. For numeric computation operators such as + and -, if the left-hand side and right-hand side types are equal, the return type is assumed to be the same. Additionally, comparison operators like > and ==, as well as the negation operator not, are assumed to return a boolean type. (code-6940)

  • Added guidance for resolving token issues for install-semgrep-pro in non-interactive environments. (gh-1668)

  • Adds support for a new flag, --subdir <path>, for semgrep ci, which allows users to pass a subdirectory to scan instead of the entire directory. The path should be a relative path, and the directory where semgrep ci is run should be the root of the repository being scanned. Unless SEMGREP_REPO_DISPLAY_NAME is explicitly set, passing the subdirectory will cause the results to go to a project specific to that subdirectory.

    The intended use case for semgrep ci --subdir path/to/dir is to help users with very large repos scan the repo in parts. (saf-1056)

Fixed

  • Language Server will now send error messages properly, and error handling is greatly improved (cdx-502)

  • Pro: Calling a safe method on a tainted object should no longer propagate taint.

    Example:

    class A {
    String foo(String str) {
        return "ok";
    }
}

    class Test {
public static void test() {
A a;
String s;
a = taint();
// Despite a is tainted, a.foo() is entirely safe !!!
s = a.foo("bar");
sink(s); // No more FP here
}
} (code-6935)

  • Fixing errors in matching identifiers from wildcard imports. For example, this update addresses the issue where the following top-level assignment:

... (truncated)

Commits
  • f64f936 chore: Bump version to 1.76.0
  • 0d3b36a fix OSS CI: remove dropbox/firebase-dropbox-oauth repo (semgrep/semgrep-propr...
  • f8debefsemgrep/semgrep-proprietary#1697
  • 848e012 fix: Fix traces ppx on functions with multiple parameters (semgrep/semgrep-pr...
  • 5b61bd7semgrep/semgrep-proprietary#1690
  • 654f05fsemgrep/semgrep-proprietary#1689
  • 1cfa86a chore: some more LS error handling improvements (semgrep/semgrep-proprietary#...
  • 43e9378semgrep/semgrep-proprietary#1679
  • 0ca4be7semgrep/semgrep-proprietary#1658
  • 6762354semgrep/semgrep-proprietary#1683
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 3 months ago

Superseded by #1568.