Bump the dev-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the dev-dependencies group with 3 updates in the /export directory: mypy, types-setuptools and semgrep.

Updates mypy from 1.13.0 to 1.14.1

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Drop Support for Python 3.8

Mypy no longer supports running with Python 3.8, which has reached end-of-life. When running mypy with Python 3.9+, it is still possible to type check code that needs to support Python 3.8 with the --python-version 3.8 argument. Support for this will be dropped in the first half of 2025!

Contributed by Marc Mueller (PR 17492).

Mypyc accelerated mypy wheels for aarch64

Mypy can compile itself to C extension modules using mypyc. This makes mypy 3-5x faster than if mypy is interpreted with pure Python. We now build and upload mypyc accelerated mypy wheels for manylinux_aarch64 to PyPI, making it easy for users on such platforms to realise this speedup.

Contributed by Christian Bundy (PR mypy_mypyc-wheels#76)

--strict-bytes

By default, mypy treats an annotation of bytes as permitting bytearray and memoryview. PEP 688 specified the removal of this special case. Use this flag to disable this behavior. --strict-bytes will be enabled by default in mypy 2.0.

Contributed by Ali Hamdan (PR 18137) and Shantanu Jain (PR 13952).

Improvements to partial type handling in loops

This change results in mypy better modelling control flow within loops and hence detecting several issues it previously did not detect. In some cases, this change may require use of an additional explicit annotation of a variable.

Contributed by Christoph Tyralla (PR 18180).

(Speaking of partial types, another reminder that mypy plans on enabling --local-partial-types by default in mypy 2.0).

Mypy 1.14

We’ve just uploaded mypy 1.14 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

... (truncated)

Commits

• 251d12f Remove +dev from version for release 1.14.1
• 667e5f7 Revert "Remove redundant inheritances from Iterator in builtins" (#18324)
• 67f673a Fix enum truthiness for StrEnum (#18379)
• 3755abb Fix getargs argument passing (#18350)
• b9fa8ee Update version to 1.14.1+dev for point release
• 6f37859 Remove +dev from version for release 1.14
• 5a6a754 Minor updates to 1.14 changelog (#18310)
• 9772d48 Update changelog for release 1.14 (#18301)
• 92473c8 Warn about --follow-untyped-imports (#18249)
• e6ce8be PEP 702 (@​deprecated): descriptors (#18090)
• Additional commits viewable in compare view

Updates types-setuptools from 75.6.0.20241126 to 75.6.0.20241223

Commits

• See full diff in compare view

Updates semgrep from 1.100.0 to 1.101.0

Release notes

Sourced from semgrep's releases.

Release v1.101.0

1.101.0 - 2024-12-18

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now the user to be logged in to see them. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition. See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/ for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now the user to be logged in to see them. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  @​classmethod
  
  def bar(cls):
  
  cls.foo(source)
  </code></pre>
  </li>
  <li>
  <p>pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)</p>
  </li>
  <li>
  <p>Restored the &quot;rules&quot; field in the SARIF output, even when logged out. (saf-1794)</p>
  </li>
  </ul>
  </blockquote>
  </details>
  <details>
  <summary>Changelog</summary>
  <p><em>Sourced from <a href="https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md&quot;&gt;semgrep's changelog</a>.</em></p>
  
  <blockquote>
  
  <h2><a href="https://github.com/semgrep/semgrep/releases/tag/v1.101.0&quot;&gt;1.101.0&lt;/a> - 2024-12-18</h2>
  
  <h3>Added</h3>
  
  <ul>
  
  <li>Improved pnpm-lock.yaml parsing. (<a href="https://redirect.github.com/returntocorp/semgrep/issues/2663&quot;&gt;gh-2663&lt;/a&gt;)&lt;/li>
  
  </ul>
  
  <h3>Changed</h3>
  
  <ul>
  
  <li>Re-ordered some terminal output of <code>semgrep ci</code> to allow semgrep-app to block scans based on specific findings (SECW-2740)</li>
  
  <li>A few fields in the JSON output (e.g., &quot;fingerprint&quot;, &quot;metavars&quot;) require now
  
  the user to be logged in to see them.
  
  See <a href="https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json&quot;&gt;https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json&lt;/a>
  
  for more information. (json)</li>
  
  <li>We're renaming semgrep OSS to Semgrep Community Edition.
  
  See <a href="https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/&quot;&gt;https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/&lt;/a>
  
  for more information. (rename)</li>
  
  <li>A few fields in the SARIF output (e.g., &quot;fingerprints&quot;) require now
  
  the user to be logged in to see them.
  
  See <a href="https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif&quot;&gt;https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif&lt;/a>
  
  for more information. (sarif)</li>
  
  </ul>
  
  <h3>Fixed</h3>
  
  <ul>
  
  <li>
  
  <p>pro: Improved inter-file tracking of tainted global variables. (code-7054)</p>
  
  </li>
  
  <li>
  
  <p>Python (pro-only): Taint now correctly tracks through calls to class methods
  
  within a class, via the <code>cls</code> parameter.</p>
  
  <p>So for instance, we would be able to determine a source-to-sink
  
  vulnerability in the following code snippet:</p>
  
  <pre><code>class A:
  
  def foo(self, x):
  
  sink(x)
  @classmethod
  
  def bar(cls):
  
  cls.foo(source)
  &lt;/code&gt;&lt;/pre&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;Restored the &amp;quot;rules&amp;quot; field in the SARIF output, even when logged out. (saf-1794)&lt;/p&gt;
  &lt;/li&gt;
  &lt;/ul&gt;
  &lt;/blockquote&gt;
  &lt;/details&gt;
  &lt;details&gt;
  &lt;summary&gt;Commits&lt;/summary&gt;
  
  &lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/da1124acb54b20c57ba454b49cb7ea65be7bac00&quot;&gt;&lt;code&gt;da1124a&lt;/code&gt;&lt;/a&gt; chore: release version 1.101.0&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/611bdbd15026dfdd38fa30b93889925fa50e444e&quot;&gt;&lt;code&gt;611bdbd&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2800&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/c04cd3859d74839950e7f4bce522b76871123533&quot;&gt;&lt;code&gt;c04cd38&lt;/code&gt;&lt;/a&gt; SARIF: restore the &amp;quot;rules&amp;quot; field even when logged out (semgrep/semgrep-propri...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/ac656ed70771e53ac85ca89d8d02331427f4d0e3&quot;&gt;&lt;code&gt;ac656ed&lt;/code&gt;&lt;/a&gt; osemgrep: Remove use of Fmt for Xxx_report.ml and consolidate in Text_reports...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/9dc60c18cdba6eb6925b240456f93363fc3bfe54&quot;&gt;&lt;code&gt;9dc60c1&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/bfd1c717c66602912bc0c1d5dd4d6d8946531df8&quot;&gt;&lt;code&gt;bfd1c71&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2745&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/eeb85e609c7382f6b09230c048500d3fb2eba18d&quot;&gt;&lt;code&gt;eeb85e6&lt;/code&gt;&lt;/a&gt; feat: Reorder output of &lt;code&gt;semgrep ci&lt;/code&gt; to allow the app to mark specific findin...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/f74a69d9b124baf7c7745747605d2199a8c8a9c1&quot;&gt;&lt;code&gt;f74a69d&lt;/code&gt;&lt;/a&gt; tainting: Fix missing call-steps in taint traces (semgrep/semgrep-proprietary...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/81a65de263260978efd9c75dfeac13d333587666&quot;&gt;&lt;code&gt;81a65de&lt;/code&gt;&lt;/a&gt; Add changelog entries for the gated loggedin fields (semgrep/semgrep-propriet...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/dc6f9b2971283110066b9703beabaed2f0936bc8&quot;&gt;&lt;code&gt;dc6f9b2&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2756&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Additional commits viewable in &lt;a href=&quot;https://github.com/returntocorp/semgrep/compare/v1.100.0...v1.101.0&quot;&gt;compare view&lt;/a&gt;&lt;/li&gt;
  &lt;/ul&gt;
  &lt;/details&gt;
  
  &lt;br /&gt;
  </code></pre>
  
  
  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
  
  [//]: # (dependabot-automerge-start)
  [//]: # (dependabot-automerge-end)
  
  ---
  
  <details>
  <summary>Dependabot commands and options</summary>
  <br />
  
  You can trigger Dependabot actions by commenting on this PR:
  - `@dependabot rebase` will rebase this PR
  - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
  - `@dependabot merge` will merge this PR after your CI passes on it
  - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
  - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
  - `@dependabot reopen` will reopen this PR if it is closed
  - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
  - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency
  - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions
  
  
  </details>