---
name: Semgrep
slug: semgrep
type: github
source_url: https://github.com/semgrep/semgrep
changelog_url: https://github.com/semgrep/semgrep/blob/HEAD/CHANGELOG.md
organization: Semgrep
organization_slug: semgrep
total_releases: 109
latest_version: v1.168.0
latest_date: 2026-06-24
last_updated: 2026-06-24
tracking_since: 2024-02-09
canonical: https://releases.sh/semgrep/semgrep
organization_url: https://releases.sh/semgrep
---
Semgrep shipped a string of performance improvements and pro-tier enhancements across the interfile analysis stack. The team redesigned pro taint analysis with an estimated 20-40% performance lift, parallelized taint config computation and file targeting to scale with job count, and adjusted the memory policy default from "eager" to "balanced" to reduce scan times at the cost of slightly higher memory use. Language support expanded with PowerShell (beta), improved Kotlin parsing, and better Scala 3 optional braces handling, while cross-file tracking grew smarter for taint through lambda calls, globals, and virtual method resolution in Java and Scala. The supply chain subsystem migrated its npm lock file parser from Python to a proprietary OCaml version and now uploads symbol analysis per-subproject.
March expanded pattern matching capabilities and language support while optimizing the analysis engine. Taint tracking through lambda calls and cross-file globals improved for Pro users, class name matching with `metavariable-type` graduated to general availability, and PowerShell entered beta with full parsing and pattern matching support. Performance work included parallelized file targeting for large repositories and a memory policy shift to "balanced" that trades modest memory overhead for notably faster scans.
## Release v1.168.0
## [1.168.0](https://github.com/semgrep/semgrep/releases/tag/v1.168.0) - 2026-06-24
### ### Added
- Added an experimental `--x-dependency-paths` flag to `scan` and `ci` that includes the full dependency path(s) for transitive supply-chain findings in `--json` and `--sarif` output. (SC-3547)
### ### Changed
- Malicious supply chain rules are now labeled "Malicious" instead of "Basic" in the scan analysis summary table. (SC-3504)
### ### Infra/Release Changes
- semgrep-core no longer depends on libpcre 8.x; libpcre2 10.x is now the sole regex engine. (drop-libpcre)
- Aliengrep (generic mode) now uses the maintained libpcre2 10.x regular-expression library instead of the deprecated libpcre 8.x. Matching behavior is unchanged. (aliengrep-pcre2)
- The `metavariable-regex` and `metavariable-comparison` (`re.match()`) runtimes now use the maintained libpcre2 10.x library instead of the deprecated libpcre 8.x. Matching behavior is unchanged. (eval-generic-pcre2)
## Release v1.167.0
## [1.167.0](https://github.com/semgrep/semgrep/releases/tag/v1.167.0) - 2026-06-17
### ### Added
- Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more. (const-folding)
- Added a `nosemgrep_disabled` field to the scan configuration so the platform can disable `nosemgrep` inline ignore comments org-wide for a scan. (APPEX-1122)
- Semgrep now skips binary files (images, archives, compiled executables,
etc.) during scanning by default, detected via matching file extensions
to known file-format magic bytes Pass `--no-exclude-binary-files` to
scan binary files as before. (ENGINE-2708)
### ### Fixed
- `semgrep ci` with `--sarif` now correctly populates the output's `ignores`
field with nosemgrep-suppressed findings, in accordance with other output
formatters. (gh-6651)
### ### Infra/Release Changes
- Updated the `ocaml-tree-sitter-core` submodule to the latest upstream `main`, providing
* improved thread-safety
* bumps the tree-sitter CLI option used from 0.20.6 to 0.20.8.
(ocaml-tree-sitter-core-bump)
## Release v1.166.0
## [1.166.0](https://github.com/semgrep/semgrep/releases/tag/v1.166.0) - 2026-06-11
### ### Added
- Pro: Added experimental cross-file (interfile) analysis for Gosu, enabling taint tracking across multiple Gosu source files. (gosu-interfile)
- Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more (ENGINE-2789)
### ### Fixed
- Fixed parsing of integer literals with an underscore immediately after the radix prefix (e.g. `0x_dead_beef`, `0o_755`, `0b_1010_1010`). (LANG-533)
- Python parsing now preserves type parameters on `def` and `class` definitions. (LANG-536)
- Semgrep no longer stores the API token in `~/.semgrep/settings.yml`'s stored
token when the current scan's token is supplied via the `SEMGREP_APP_TOKEN`
envvar. (SEC-2240)
- `semgrep ci` scans originating from a pre-commit hook will no longer fail with
`Unable to create '/.git/index.lock': Not a directory` in certain cases. (engine-2736)
### ### Infra/Release Changes
- Added parsing tests covering Python language features (Python 3.0–3.12). (LANG-531)
## Release v1.165.0
## [1.165.0](https://github.com/semgrep/semgrep/releases/tag/v1.165.0) - 2026-06-03
### ### Added
- Added `--max-match-context-size` option to limit the number of characters of source code included as context for each match in the output. This prevents matches in minified files (e.g., minified JavaScript where the entire file is a single line) from producing enormous output Set to 0 for unlimited, which is the default value. (ENGINE-2117)
### ### Changed
- Replaced `--x-no-python-schema-validation` with a value-taking `--x-rule-validation=full|core-only|none` flag. The default (`full`) preserves existing Python rule validation behavior; `core-only` matches the old flag's semantics (disables Python rule validation and uses semgrep-core RPC validation only); `none` skips both pre-validation passes, surfacing rule errors at scan-time. `--x-no-python-schema-validation` is still accepted as a no-op with a deprecation warning, and will be removed in a future release. (x-rule-validation)
- Python: Updated Python grammar (LANG-201)
### ### Fixed
- Added bit shift operations to metavar comparison in addition to already present standard arithmetic operators and logical bit ops. (ENGINE-2448)
- Reduce intermittent `validation_error` results on HTTP secret validators (Facebook, Slack, Stripe, Google, Cloudflare, etc.) by retrying transient network failures, mirroring the retry behavior already present for AWS validators. (SCRT-965)
## Release v1.164.0
## [1.164.0](https://github.com/semgrep/semgrep/releases/tag/v1.164.0) - 2026-05-26
### ### Added
- Dart: typed metavariables (`$X as T`) and `metavariable-type`,
metavariable binding inside string interpolations, and function-definition
patterns that match Dart function definitions. (gh-11678)
### ### Changed
- The default memory limit for Pro interfile scans on Linux now adapts to the container's cgroup memory limit (90% of it) instead of the previous fixed 5 GiB, with an 8 GiB fallback when no cgroup limit is detected. (ENGINE-2568)
- Lower the glibc contraint from `>=2.35` to `>=2.34`, allowing users on distros
that ship glibc 2.34 (e.g RHEL 9 & AL2023) to install the semgrep wheel. (gh-11622)
### ### Fixed
- Baseline diff scans (``semgrep ci`` and ``--baseline-commit``) no longer treat every finding on a file as newly introduced when rule(s) failed during the baseline run.
Per-rule failures (for example a timeout for a single rule) on baseline analysis now hide only that rule's matches on that file from the "new vs baseline" comparison.
Other rules on the same file are still taken in comparison for the "new vs baseline" comparison.
Per-file, rule-independent failures now hide all findings on that file from the "new vs baseline" comparison. (LANG-515)
- Fixed a yarn.lock parse error on Yarn Berry entries written
in YAML explicit-key form. Affected lockfiles previously failed to parse. (SC-3479)
- The (beta) SBT resolver with `--allow-local-builds` now correctly identifies dependencies as part of the Maven ecosystem. (SC-3522)
- Fix `--sarif-output` and `--sarif` causing nosemgrep-suppressed findings to be reported in CLI scan output and to block scans. Suppressed findings are now correctly excluded from terminal text output, the scan-summary count, and the CLI's exit code. (engine-1824)
- Fixed a bug that could cause unreliable target filtering in parallel scans. (gh-6313)
- Dart: improved parser fidelity for Dart 3 grammar features and routed
pattern parsing for statements beginning with `await`, `rethrow`, and other
statement keywords. Eliminates a large class of `PartialParsing` errors on
real-world pub.dev packages. (gh-11678)
### ### Infra/Release Changes
- pro: macOS: Fixed dynamic library lookup for `semgrep-core-proprietary` so the binary works when `semgrep install-semgrep-pro` is invoked, and `semgrep` is installed via Homebrew. (pro-binary-homebrew)
- Pro: Added optional `.named_ast.expect` golden files for `tests/intrafile/maturity/` fixtures, exercised by `Unit_maturity_named_asts`. (LANG-287)
## Release v1.163.0
## [1.163.0](https://github.com/semgrep/semgrep/releases/tag/v1.163.0) - 2026-05-13
### ### Added
- Updated PHP target parsing to support grammar changes from PHP 8.1-8.5 (LANG-380)
### ### Changed
- Improved `semgrep ci` startup time with App-provided rules by avoiding duplicate semgrep-core rule validation during CLI rule loading while preserving config-style failures for invalid rules. (ci-rule-validation-startup)
- Semgrep now validates dependency aware rules only on the core side, improving startup time (validate-skip-dep-aware)
- Rule validation now runs in parallel across cores on large rulesets, reducing scan startup time. (gh-6279)
- Rule parsing now runs in parallel across shards on multi-core machines, reducing scan startup time on large rulesets. (gh-6281)
### ### Fixed
- Improved name resolution for fully-qualified names in Java, Kotlin, and Scala. This could lead to fewer false positives and more true positives when the code under analysis uses fully-qualified names instead of imports. (java-qualified)
- Optimised rule prefiltering and parsing to improve engine startup time. (rule-parse-cache)
- Reduced peak memory usage when scanning repos with large rulesets. (rules-json-compact)
- Fixed transitive reachability rule parsing performance: the temporary rule
file written for each transitive-reachability RPC call is JSON content
(`json.dumps([rule.raw])`) but was being created with a `.yaml` suffix.
OCaml's `Parse_rule.parse_file` dispatches purely on file extension, so this
routed every TR rule through `Yaml_to_generic.parse_yaml_file` (the slow YAML
path) instead of `Fast_json.parse_program` (the new hand-written RFC 8259
parser). Switching the suffix to `.json` lines the suffix up with the actual
content and lets every TR rule parse take the fast path. (tr-json-suffix)
- Pro: Fixed a naming resolution bug in Java. (LANG-274)
## Release v1.162.0
## [1.162.0](https://github.com/semgrep/semgrep/releases/tag/v1.162.0) - 2026-05-07
### ### Added
- pro: Improved support for tracking taint through nested functions. (LANG-95)
- Added indexes to file targeting to improve performance of semgrepignore matching. (gh-27830)
### ### Changed
- Faster JSON rule parsing: rule files in JSON format now parse roughly 5x faster end-to-end (measured ~134s → ~28s on a 382MB rule pack) by going through a new hand-written RFC 8259 parser instead of the previous JS-parser-based chain. (ENGINE-2725)
- Scala projects are now identified for Supply Chain only by their root build.sbt, rather than treating each build.sbt as a different subproject. (SC-3293)
- MCP `semgrep_findings` tool: added a `refs` parameter to filter findings by branch (defaults to the primary branch when not specified), and made `autotriage_verdict` optional so that findings without an AI verdict can also be returned. (engine-2723)
### ### Fixed
- jsonnet: `import` and `importstr` now reject paths that resolve outside the
rule file's parent directory. (ENGINE-2727)
- semgrep ci: redact URL-embedded credentials and `Authorization` header
values from git error messages and from the captured tracebacks sent to
the fail-open telemetry endpoint, preventing leaks of secrets like
`CI_JOB_TOKEN` from a failed `git fetch` in GitLab CI. Also closes
ENGINE-2731 (raw, unsanitized tracebacks in fail-open telemetry). (ENGINE-2728)
- `semgrep ci` no longer transmits SCM tokens to the Semgrep Platform. (ENGINE-2729)
- semgrep CLI: the on-disk log file (`~/.semgrep/semgrep.log` or `$SEMGREP_LOG_FILE`) now respects the requested log level instead of always being written at DEBUG. This narrows the surface for credentials to land on disk via CI runner filesystems or job artifacts; pass `--debug` to restore the previous behavior. (ENGINE-2730)
- jsonnet rules: bound recursion in both rule loading and evaluation so a
malicious rule can no longer hang semgrep via mutually-recursive `import`s
or runtime function calls that recurse forever. (ENGINE-2727-dos)
- Scala: Merging consecutive top-level package declarations into a single package path. (LANG-374)
- Fixed PHP parse errors during highly-parallel parsing. (gh-6197)
- Fixed Scala parse errors during highly-parallel parsing. (gh-6198)
- Surface a clearer error from the MCP scan tool when metrics is off and auto config is specified (gh-11649)
- Fixed unknown option error when spawning the MCP daemon (gh-11660)
## Release v1.161.0
## [1.161.0](https://github.com/semgrep/semgrep/releases/tag/v1.161.0) - 2026-04-22
### ### Added
- Scala 3.4+ trait parameters are now parsed correctly. (lang-73)
### ### Fixed
- Semgrep's HTTP requests no longer log URLs above the debug level; full request
details remain available when running with `SEMGREP_LOG_SRCS=cohttp.client`. (ENGINE-2712)
## Release v1.160.0
## [1.160.0](https://github.com/semgrep/semgrep/releases/tag/v1.160.0) - 2026-04-16
### ### Added
- Scala: Added tree-sitter parser for improved parsing accuracy with pfff fallback. (LANG-255)
- pro: taint: Improved support for variadic functions (LANG-375)
### ### Fixed
- Fixed performance issues during parsing Semgrep rules containing emoji or
other non-BMP Unicode characters. (gh-6070)
- Emit a warning when semgrep-core rule validation fails and falls back to JSON
schema validation, alongside details of the failure. (gh-6071)
## Release v1.159.0
## [1.159.0](https://github.com/semgrep/semgrep/releases/tag/v1.159.0) - 2026-04-10
### ### Fixed
- Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)
## Release v1.158.0
## [1.158.0](https://github.com/semgrep/semgrep/releases/tag/v1.158.0) - 2026-04-09
### ### Added
- Added support for a supply chain hook for the Semgrep Plugin (supply-chain-hook)
- Computing taint configs, ~1/4-1/2 of the semgrep-core time in interfile scans, is now done in parallel according to the number of jobs (ENGINE-2649)
- Semgrep Pro interfile engine (--pro) taint analysis has been redesigned, significantly improving performance (estimated 20-40% improvement). This improvement introduces a slight change in how findings are generated, that may result in more true positives, or less false positives. To revert to previous behavior, pass `--no-x-run-taint-once` as a flag. (engine-2468)
### ### Changed
- semgrep-core macOS binaries are now dynamically linked to the system's libraries. (macos-binary-build)
- semgrep-core manylinux binaries are now dynamically linked to the system's glibc on glibc systems. This introduces a minimum glibc version requirement of >=2.35, which is satisfied in Ubuntu >=22.04, Debian >=12, RHEL >=10, and other glibc distributions with at least glibc 2.35. Linux systems running an older glibc will need to upgrade their OS. (manylinux-binary-build)
- The manylinux wheel is now tagged as manylinux_2_35_, reflecting a minimum
requirement of glibc version 2.35. (manylinux-wheel-tag)
- semgrep-core musllinux binaries are now dynamically linked to the system's musl libc on musl systems. (musllinux-binary-build)
- The musllinux PyPI wheel is now tagged as musllinux_1_2_, reflecting a requirement
of musl libc version 1.2. (musllinux-wheel-tag)
- The LSP and MCP servers now use the v2 config download endpoint by default when fetching rules from Semgrep AppSec Platform. Set `SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1` to fall back to the legacy endpoint. (SMS-2284)
### ### Fixed
- Fixed IDE login issues where network errors during token verification were incorrectly clearing the saved token. The LSP now distinguishes 401 Unauthorized (invalid token) from other errors (e.g. network failures), surfacing appropriate messages instead. (ide-login)
- Fixed SARIF taint trace output: step locations now use the correct file URI, and the full taint sink call trace is included in `codeFlows`. (engine-2570)
- The --x-mem-policy flag now propagates to the RPC subprocess, fixing memory tuning for dependency resolution and other RPC-based operations. (pylon-20772)
## Release v1.157.0
## [1.157.0](https://github.com/semgrep/semgrep/releases/tag/v1.157.0) - 2026-03-31
### ### Added
- pro: Improved taint tracking through lambda calls. (LANG-268)
- It is now possible to match a class name like in `$C.getInstance(...)`, and then
use `metavariable-type` on `$C` to check its type. (LANG-271)
- pro: Improve cross-file taint tracking for globals. (LANG-275)
### ### Changed
- Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
- pro: Improved golang module resolution. (code-9225)
- Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)
### ### Fixed
- Fix Rust parsing of "&raw" where "raw" is an identifier. (rust-parser-updated)
- Errors during target file discovery (e.g., permission errors, git failures) are now surfaced as warnings instead of being silently ignored. (ENGINE-2627)
- kotlin: Fixed bug parsing FQNs in `metavariable-type`. (LANG-271)
- Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names. (SC-3379)
- Prevented certain deeply nested aliengrep matches from segfaulting semgrep-core. (engine-2628)
- Fix Python parsing for files that contains empty strings (or quotes in docstrings) along with match statements. (gh-11287)
- Fix rule paths.include/paths.exclude filtering when a single file is passed as a scan target. Previously, path patterns like '**/src/test/**/*.java' would not match because only the filename was used for filtering instead of the full project-relative path. (gh-11560)
- Pro: Improved type resolution in Scala (lang-79)
- Pro: Improved call resolution in Scala for parameterless methods (lang-80)
## Release v1.156.0
## [1.156.0](https://github.com/semgrep/semgrep/releases/tag/v1.156.0) - 2026-03-17
### ### Changed
- The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)
### ### Fixed
- Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
- Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
- Fixed a crash in `semgrep ci` when run in a git repo with no remote origin set (gh-11342)
## Release v1.155.0
## [1.155.0](https://github.com/semgrep/semgrep/releases/tag/v1.155.0) - 2026-03-11
### ### Added
- Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
- scala: Improved support for Scala 3's optional braces. (LANG-218)
- Added PowerShell language support (beta) with parsing and pattern matching (lang-233)
### ### Changed
- Removed the experimental and undocumented command `semgrep install-ci`. (osemgrep-install-ci)
- Migrate from publishing a single Linux wheel with the platform tag `musllinux_1_0_.manylinux2014_` to publishing two separate wheels:
- A wheel with the platform tag musllinux_1_0_
- A wheel with the platform tag manylinux2014_
(pypi-linux-tag)
### ### Fixed
- When performing parallel operations over a small number of input items, the
engine no longer spawns more OCaml domains than we have items to process. This
assists with resource utilisation. (engine-2588)
- Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
- Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the `--secrets-timeout` flag. (engine-2593)
- Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)
## Release v1.154.0
## [1.154.0](https://github.com/semgrep/semgrep/releases/tag/v1.154.0) - 2026-03-04
### ### Fixed
- Fix crash on Windows when running `semgrep ci` with `--debug` and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when `--debug` was active. (ENGINE-2491)
- Changed default memory policy from "eager" to "balanced". Scan times should
noticably improve; however, scans may use 5-10% additional memory. If running
in a resource-constrained environment, consider setting the memory policy back
to "aggressive". (engine-2055)
- When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k files). Semgrep will now parallelize this work according to the number of jobs passed (`-j`) (engine-2512)
- Fixed a performance issues where passing many scannign roots on the command
line (e.g. `semgrep scan $(git ls-files '*.py')`) caused one semgrep-core
subprocess to be spawned per file. Roots that are not directories are now
handled directly in Python without any subprocess overhead. (gh-11404)
- Scala: Restored parse rate after mistaken bug introduced by implicit block parsing fix (lang-215)
## Release v1.153.0
## [1.153.0](https://github.com/semgrep/semgrep/releases/tag/v1.153.0) - 2026-02-25
### ### Added
- Semgrep core is now optimized with flambda (flambda)
- Scala: Support for `for`-`yield` (LANG-193)
### ### Fixed
- Scala: Fixed a parsing bug where subsequent calls in an implicit block would not
be considered at the same scope, e.g.
```
def f (a: t) =
foo()
bar()
``` (lang-194)
## Release v1.152.0
## [1.152.0](https://github.com/semgrep/semgrep/releases/tag/v1.152.0) - 2026-02-17
### ### Added
- Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)
- Turned on DNS rebinding protection for the MCP server (dns-check)
- Environment variables can now be passed to third-party package managers invoked as part of `--allow-local-builds` dependency resolution via the environment variable `SEMGREP_LOCAL_BUILD_ENV`, which accepts a JSON object with string keys and string values. (SC-3163)
- Memory management policies
A memory policy defines how OCaml's garbage collector should be configured for
a scan. There are two initial policies: "aggressive", the current behaviour,
which trades longer scan times for lower memory use, and "balanced", which
finds a middle ground between reclaiming heap memory in short order while
limiting how often the garbage collector runs. The policy can be configured
via the `--x-mem-policy` CLI flag for the pro engine; this flag is unused in
the OSS engine. (engine-2055)
- Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@hex0punk) for the contribution! (gh-11347)
- Allows case insensitive string comparisons using lower() and upper() like this:
```
- metavariable-comparison:
metavariable: $VALUE
comparison: upper(str($VALUE)) == "SEMGREP"
```
(gh-11502)
- Blocking findings that are outputted in the CI output are now labelled as such. (#4394)
### ### Changed
- pro: There should be fewer FNs when the max number of fields to track per object
is reached. (code-9224)
- Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)
### ### Fixed
- pro: Improved accuracy of taint tracking through assignments, this will help
reduce FPs in some cases. (code-9220)
- When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
longer period of time before retrying the request, to spread out requests
during periods of app instability. (engine-2550)
## Release v1.151.0
## [1.151.0](https://github.com/semgrep/semgrep/releases/tag/v1.151.0) - 2026-02-04
### Added
- Added progress indicators for symbol analysis calculation and upload during CI scans (sc-3103)
### Fixed
- bumped `glom` to at least version `23.3`, which includes a fix to a `SyntaxWarning`
warning log. (gh-11460)
- Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't (loglines)
- Fixed the README not appearing in built wheels. (wheelreadme)
## Release v1.150.0
## [1.150.0](https://github.com/semgrep/semgrep/releases/tag/v1.150.0) - 2026-01-29
### Added
- Connecting to the Semgrep MCP server via streamableHttp now requires OAuth. (saf-2453)
### Changed
- Migrated from `pipenv` to `uv` for `./cli` package management (uv)
### Fixed
- pro: Improved virtual method resolution in Scala (code-9213)
- Improved performance for supply chain scans by reducing pre-computation when printing the scan status. This results in slightly less information being displayed in the case that there are no rules to run. (gh-5436)
- Supply Chain Analysis: fixed version range matching for NPM packages with versions containing a prerelease identifier such as `-alpha` in `1.2.3-alpha`. (sc-3001)
## Release v1.149.0
## [1.149.0](https://github.com/semgrep/semgrep/releases/tag/v1.149.0) - 2026-01-21
### Added
- Added a warning in --debug mode when a user runs a parallel scan with a larger
value for -j/--jobs than the number of CPUs we detect the host has made
available to Semgrep. Additionally, a suggested starting value for -j/--jobs
is reported to give the user a place to start tuning their scan. (saf-2474)
- Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)
### Changed
- The MCP server no longer supports SSE transport. (saf-2462)
### Fixed
- pro: Improved virtual method resolution in Java (code-9210)
- pro: Improved virtual method resolution in Scala (code-9212)
- Improve performance of scan planning, a part of the Python CLI, by reducing
the cost of re-hashing `Target` objects. Performance should improve on
large repo scans proportionally to the number of files in the repo. (gh-5407)
- `semgrep ci` no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)