Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
coverage	>=7.12,<7.13 -> >=7.13,<7.14
numpy (changelog)	~= 2.3.0 -> ~=2.4.0
semgrep	>=1.144,<1.145 -> >=1.146,<1.147

---

Release Notes

coveragepy/coveragepy (coverage)

v7.13.0

Compare Source

• Feature: coverage.py now supports :file:.coveragerc.toml configuration
  files. These files use TOML syntax and take priority over
  :file:pyproject.toml but lower priority than :file:.coveragerc files.
  Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.

• Fix: we now include a permanent .pth file which is installed with the code,
  fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn't work
  when using the source wheel (py3-none-any). This is now fixed. Thanks,
  Henry Schreiner <pull 2100_>.

• Deprecated: when coverage.py is installed, it creates three command entry
  points: coverage, coverage3, and coverage-3.10 (if installed for
  Python 3.10). The second and third of these are not needed and will
  eventually be removed. They still work for now, but print a message about
  their deprecation.

.. _issue 1643: #​1643
.. _pull 1952: #​1952
.. _pull 2100: #​2100

.. _changes_7-12-1b1:

numpy/numpy (numpy)

v2.4.0

Compare Source

returntocorp/semgrep (semgrep)

v1.146.0

Added

• Added support for Cursor post-code-generation hooks via new record-file-edit and stop-cli-scan semgrep mcp flags (cursor-hooks)
• Added skipped_paths field to CI scan results to report files that failed to scan due to errors (timeout, OOM, etc.), preventing the app from incorrectly marking findings in those files as fixed (gh-5122)
• Symbol analysis, if enabled, now runs for Supply Chain only scans when calling semgrep ci. (sc-2927)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.22 to 3.23 (docker-version)
• bumped the mcp python-sdk from 1.16.0 to 1.23.3 (mcp-version)
• pro: [experimental] enabling and disabling transitive reachability
  analysis in semgrep ci regardless of app settings is now possible with
  --x-enable-transitive-reachability (or --x-tr)
  and --x-disable-transitive-reachability. (tr-flags)

Fixed

• The PHP AST now distinguishes between if statements with no else clause and those with an explicit but empty else {}. (gh-11330)
• git-lfs objects are now excluded from baseline scans, as they are usually binary files, or simply too large to scan. (saf-2020)
• Fix a OCaml stdlib bug that would cause nondeterministic UnixErrors on Windows under the multicore runtime due to a race condition in the socketpair implementation (saf-2316)
• Fixed an issue that in rare cases could lead timeouts to be mishandled. This typically manifested only through slightly different warning messages, but it is possible that more serious consequences could have occasionally resulted. (saf-2368)
• Fixed symbol analysis incorrectly analyzing all files instead of only the relevant language files per ecosystem. (sc-3020)

v1.145.2

No significant changes.

v1.145.1

No significant changes.

v1.145.0

Added

• Added optional user-prompting for classifying findings as true/false positives via MCP Elicitation in the MCP server (behind SEMGREP_FINDINGS_ELICITATION_ENABLED, off by default). (elicitation)
• Added hook to inject secure-by-default library recommendations into Claude Code Agent context. (secure-defaults-hook)

Changed

• Symbol analysis upload now runs before scan completion to ensure it is available during initial scan postprocessing. (sc-2933)

Fixed

• Fix issue that could lead to validation failures for certain well-formed rules, such as those with emoji in their messages. (incid-293)
• The correct range for let ... in expressions in OCaml is now reported. Previously, the location of the let was omitted. This is mainly relevant for autofix. (ocaml-let)
• Debug log lines concerning telemetry collection that are only relevant inside
  Semgrep's managed scanning environment are not emitted if a scan runs outside
  that environment. (saf-2321)
• pro: in 1.144.0 interfile scans no longer default to -j 1; instead, the number of available CPUs on the system was used to inform how many jobs should be spawned. This caused a change in timeouts due to how time is measured for certain parts of the pro engine. This change has now been reverted (saf-default-jobs)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud