chore(deps): update dependency semgrep to ~=1.95.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	~=1.92.0 -> ~=1.95.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.95.0

Compare Source

Changed

• Remove deprecated --enable-experimental-requirements flag. Functionality has
  been always enabled since Semgrep 1.93.0. (ssc-1903)

Fixed

• osemgrep: Running osemgrep with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)
• Fixed bug where semgrep would crash if --trace was passed (saf-tracing)

v1.94.0

Compare Source

Fixed

• pro: taint-mode: Semgrep should no longer confuse a return in a lambda with
  a return in its enclosing function.

  E.g. In the example below the return value of foo is NOT tainted:

  function foo() {
      bar(() => taint);
      return ok;
  } (code-7657)
  

• OCaml: matching will now recognized "local open" so that a pattern like
  Foo.bar ... will now correctly match code such as let open Foo in bar 1
  or Foo.(bar 1) in addition to the classic Foo.bar 1. (local_open)

• Project files lacking sufficient read permissions are now skipped gracefully
  by semgrep. (saf-1598)

• Semgrep will now print stderr and additional debugging info when semgrep-core
  exits with a fatal error code but still returns a json repsonse (finishes
  scanning) (saf-1672)

• semgrep ci should parse correctly git logs to compute the set of contributors
  even if some authors have special characters in their names. (saf-1681)

v1.93.0

Compare Source

Added

• Improved naming for Common JS module imports (require) in arbitrary
  expression contexts. Notably, in-line use of require should now be linked to
  the correct module. For instance, the pattern foo.bar should now match
  against require('foo').bar and taint is likewise similarily tracked. (code-7485)
• Secrets: semgrep ci output now includes a list of all secrets rules which
  generated at least one blocking finding (similar to Code) (code-7663)
• Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
• Expanded support for pip requirement lockfiles is now available by default. Semgrep will now
  find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
  The existing experimental flag --enable-experimental-requirements is now deprecated and
  will be removed in a future release. (gh-2441)

Changed

• Removed support for Vue. The tree-sitter grammar has not been updated in 3 years,
  there was no community rules added and semgrep-vue is causing linking conflicts
  when compiling semgrep under Windows so just simpler to remove support for Vue.
  In theory, extract mode could be a good substitute to parse Vue files. (vue)

Fixed

• semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.