chore(deps-dev): update semgrep requirement from >=1.162.0 to >=1.163.0

[dependabot]

Updates the requirements on semgrep to permit the latest version.

Release notes

Sourced from semgrep's releases.

Release v1.163.0

1.163.0 - 2026-05-13

### Added

• Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)

### Changed

• Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
• Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
• Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
• Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)

### Fixed

• Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
• Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
• Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
• Fixed transitive reachability rule parsing performance: the temporary rule file written for each transitive-reachability RPC call is JSON content (json.dumps([rule.raw])) but was being created with a .yaml suffix. OCaml's Parse_rule.parse_file dispatches purely on file extension, so this routed every TR rule through Yaml_to_generic.parse_yaml_file (the slow YAML path) instead of Fast_json.parse_program (the new hand-written RFC 8259 parser). Switching the suffix to .json lines the suffix up with the actual content and lets every TR rule parse take the fast path. (tr-json-suffix)
• Pro: Fixed a naming resolution bug in Java. (LANG-274)

Changelog

Sourced from semgrep's changelog.

1.163.0 - 2026-05-13

### Added

• Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)

### Changed

• Improved semgrep ci startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
• Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
• Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
• Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)

### Fixed

• Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
• Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
• Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
• Fixed transitive reachability rule parsing performance: the temporary rule file written for each transitive-reachability RPC call is JSON content (json.dumps([rule.raw])) but was being created with a .yaml suffix. OCaml's Parse_rule.parse_file dispatches purely on file extension, so this routed every TR rule through Yaml_to_generic.parse_yaml_file (the slow YAML path) instead of Fast_json.parse_program (the new hand-written RFC 8259 parser). Switching the suffix to .json lines the suffix up with the actual content and lets every TR rule parse take the fast path. (tr-json-suffix)
• Pro: Fixed a naming resolution bug in Java. (LANG-274)

1.162.0 - 2026-05-07

### Added

• pro: Improved support for tracking taint through nested functions. (LANG-95)
• Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)

### Changed

• Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
• Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
• MCP semgrep_findings tool: added a refs parameter to filter findings by branch (defaults to the primary branch when not specified), and made autotriage_verdict optional so that findings without an AI verdict can also be returned. (engine-2723)

### Fixed

• jsonnet: import and importstr now reject paths that resolve outside the rule file's parent directory. (ENGINE-2727)
• semgrep ci: redact URL-embedded credentials and Authorization header values from git error messages and from the captured tracebacks sent to the fail-open telemetry endpoint, preventing leaks of secrets like CI_JOB_TOKEN from a failed git fetch in GitLab CI. Also closes

... (truncated)

Commits

• db2be62semgrep/semgrep-proprietary#6316
• c942ce5 fix: move Java synthetic getter generation to AST layer (LANG-274) (semgrep/s...
• 832bf21 infra(ci): bump anthropics/claude-code-action to v1.0.119 (semgrep/semgrep-pr...
• de18b7e chore: update CODEOWNERS for code-pa -> languages (semgrep/semgrep-proprietar...
• e4d1596 fix(interfaces): add back semgrep-interfaces.opam file (semgrep/semgrep-pro...
• 5f78fd4 fix(mcp): stop sending all rules as part of metrics (semgrep/semgrep-propriet...
• 384de6csemgrep/semgrep-proprietary#6266
• 6050606 perf(parsing): cache parsed xpatterns across rules (semgrep/semgrep-proprieta...
• 376ef4c SharedMemo: add ?should_cache predicate to memo entry points (semgrep/semgrep...
• 247180bsemgrep/semgrep-proprietary#6118
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)