chore(deps): bump semgrep from 1.151.0 to 1.153.1

[dependabot]

Bumps semgrep from 1.151.0 to 1.153.1.

Release notes

Sourced from semgrep's releases.

Release v1.153.0

1.153.0 - 2026-02-25

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

### Fixed

• Scala: Fixed a parsing bug where subsequent calls in an implicit block would not be considered at the same scope, e.g.

  def f (a: t) =
    foo()
    bar()
  ``` (lang-194)
  

Release v1.152.0

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for a scan. There are two initial policies: "aggressive", the current behaviour, which trades longer scan times for lower memory use, and "balanced", which finds a middle ground between reclaiming heap memory in short order while limiting how often the garbage collector runs. The policy can be configured via the --x-mem-policy CLI flag for the pro engine; this flag is unused in the OSS engine. (engine-2055)

• Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

• Allows case insensitive string comparisons using lower() and upper() like this:

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

  (gh-11502)

• Blocking findings that are outputted in the CI output are now labelled as such. (#4394)

### Changed

• pro: There should be fewer FNs when the max number of fields to track per object

... (truncated)

Changelog

Sourced from semgrep's changelog.

Changelog

1.153.0 - 2026-02-25

### Added

• Semgrep core is now optimized with flambda (flambda)
• Scala: Support for for-yield (LANG-193)

### Fixed

• Scala: Fixed a parsing bug where subsequent calls in an implicit block would not be considered at the same scope, e.g.

  def f (a: t) =
    foo()
    bar()
  ``` (lang-194)
  

1.152.0 - 2026-02-17

### Added

• Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)

• Turned on DNS rebinding protection for the MCP server (dns-check)

• Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)

• Memory management policies

  A memory policy defines how OCaml's garbage collector should be configured for a scan. There are two initial policies: "aggressive", the current behaviour, which trades longer scan times for lower memory use, and "balanced", which finds a middle ground between reclaiming heap memory in short order while limiting how often the garbage collector runs. The policy can be configured via the --x-mem-policy CLI flag for the pro engine; this flag is unused in the OSS engine. (engine-2055)

• Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@​hex0punk) for the contribution! (gh-11347)

• Allows case insensitive string comparisons using lower() and upper() like this:

  - metavariable-comparison:
      metavariable: $VALUE
      comparison: upper(str($VALUE)) == "SEMGREP"
  

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)