Bump the dev-dependencies group in /export with 3 updates

[dependabot]

Bumps the dev-dependencies group in /export with 3 updates: mypy, types-setuptools and semgrep.

Updates mypy from 1.13.0 to 1.14.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

...

Mypy 1.14

We’ve just uploaded mypy 1.14 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Change to Enum Membership Semantics

As per the updated typing specification for enums, enum members must be left unannotated.

class Pet(Enum):
    CAT = 1  # Member attribute
    DOG = 2  # Member attribute
# New error: Enum members must be left unannotated
WOLF: int = 3
species: str  # Considered a non-member attribute

In particular, the specification change can result in issues in type stubs (.pyi files), since historically it was common to leave the value absent:

# In a type stub (.pyi file)
class Pet(Enum):
# Change in semantics: previously considered members,
# now non-member attributes
CAT: int
DOG: int
# Mypy will now issue a warning if it detects this
# situation in type stubs:
# > Detected enum "Pet" in a type stub with zero
# > members. There is a chance this is due to a recent
# > change in the semantics of enum membership. If so,
# > use `member = value` to mark an enum member,

</tr></table>

... (truncated)

Commits

• 6f37859 Remove +dev from version for release 1.14
• 5a6a754 Minor updates to 1.14 changelog (#18310)
• 9772d48 Update changelog for release 1.14 (#18301)
• 92473c8 Warn about --follow-untyped-imports (#18249)
• e6ce8be PEP 702 (@​deprecated): descriptors (#18090)
• 5082a22 [mypyc] Document optimized bytes ops and additional str ops (#18242)
• ee19ea7 [mypyc] Add primitives and specialization for ord() (#18240)
• cc45bec [mypyc] Make exception type check in assertRaises test helper precise (#18241)
• f51090d Make "deprecated" Note a standard Error, disabled by default (#18192)
• 242873a Implement flag to allow typechecking of untyped modules (#17712)
• Additional commits viewable in compare view

Updates types-setuptools from 75.6.0.20241126 to 75.6.0.20241223

Commits

• See full diff in compare view

Updates semgrep from 1.100.0 to 1.101.0

Release notes

Sourced from semgrep's releases.

Release v1.101.0

1.101.0 - 2024-12-18

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now the user to be logged in to see them. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition. See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/ for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now the user to be logged in to see them. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  @​classmethod
  
  def bar(cls):
  
  cls.foo(source)
  </code></pre>
  </li>
  <li>
  <p>pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)</p>
  </li>
  <li>
  <p>Restored the &quot;rules&quot; field in the SARIF output, even when logged out. (saf-1794)</p>
  </li>
  </ul>
  </blockquote>
  </details>
  <details>
  <summary>Changelog</summary>
  <p><em>Sourced from <a href="https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md&quot;&gt;semgrep's changelog</a>.</em></p>
  
  <blockquote>
  
  <h2><a href="https://github.com/semgrep/semgrep/releases/tag/v1.101.0&quot;&gt;1.101.0&lt;/a> - 2024-12-18</h2>
  
  <h3>Added</h3>
  
  <ul>
  
  <li>Improved pnpm-lock.yaml parsing. (<a href="https://redirect.github.com/returntocorp/semgrep/issues/2663&quot;&gt;gh-2663&lt;/a&gt;)&lt;/li>
  
  </ul>
  
  <h3>Changed</h3>
  
  <ul>
  
  <li>Re-ordered some terminal output of <code>semgrep ci</code> to allow semgrep-app to block scans based on specific findings (SECW-2740)</li>
  
  <li>A few fields in the JSON output (e.g., &quot;fingerprint&quot;, &quot;metavars&quot;) require now
  
  the user to be logged in to see them.
  
  See <a href="https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json&quot;&gt;https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json&lt;/a>
  
  for more information. (json)</li>
  
  <li>We're renaming semgrep OSS to Semgrep Community Edition.
  
  See <a href="https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/&quot;&gt;https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/&lt;/a>
  
  for more information. (rename)</li>
  
  <li>A few fields in the SARIF output (e.g., &quot;fingerprints&quot;) require now
  
  the user to be logged in to see them.
  
  See <a href="https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif&quot;&gt;https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif&lt;/a>
  
  for more information. (sarif)</li>
  
  </ul>
  
  <h3>Fixed</h3>
  
  <ul>
  
  <li>
  
  <p>pro: Improved inter-file tracking of tainted global variables. (code-7054)</p>
  
  </li>
  
  <li>
  
  <p>Python (pro-only): Taint now correctly tracks through calls to class methods
  
  within a class, via the <code>cls</code> parameter.</p>
  
  <p>So for instance, we would be able to determine a source-to-sink
  
  vulnerability in the following code snippet:</p>
  
  <pre><code>class A:
  
  def foo(self, x):
  
  sink(x)
  @classmethod
  
  def bar(cls):
  
  cls.foo(source)
  &lt;/code&gt;&lt;/pre&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;Restored the &amp;quot;rules&amp;quot; field in the SARIF output, even when logged out. (saf-1794)&lt;/p&gt;
  &lt;/li&gt;
  &lt;/ul&gt;
  &lt;/blockquote&gt;
  &lt;/details&gt;
  &lt;details&gt;
  &lt;summary&gt;Commits&lt;/summary&gt;
  
  &lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/da1124acb54b20c57ba454b49cb7ea65be7bac00&quot;&gt;&lt;code&gt;da1124a&lt;/code&gt;&lt;/a&gt; chore: release version 1.101.0&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/611bdbd15026dfdd38fa30b93889925fa50e444e&quot;&gt;&lt;code&gt;611bdbd&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2800&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/c04cd3859d74839950e7f4bce522b76871123533&quot;&gt;&lt;code&gt;c04cd38&lt;/code&gt;&lt;/a&gt; SARIF: restore the &amp;quot;rules&amp;quot; field even when logged out (semgrep/semgrep-propri...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/ac656ed70771e53ac85ca89d8d02331427f4d0e3&quot;&gt;&lt;code&gt;ac656ed&lt;/code&gt;&lt;/a&gt; osemgrep: Remove use of Fmt for Xxx_report.ml and consolidate in Text_reports...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/9dc60c18cdba6eb6925b240456f93363fc3bfe54&quot;&gt;&lt;code&gt;9dc60c1&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/bfd1c717c66602912bc0c1d5dd4d6d8946531df8&quot;&gt;&lt;code&gt;bfd1c71&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2745&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/eeb85e609c7382f6b09230c048500d3fb2eba18d&quot;&gt;&lt;code&gt;eeb85e6&lt;/code&gt;&lt;/a&gt; feat: Reorder output of &lt;code&gt;semgrep ci&lt;/code&gt; to allow the app to mark specific findin...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/f74a69d9b124baf7c7745747605d2199a8c8a9c1&quot;&gt;&lt;code&gt;f74a69d&lt;/code&gt;&lt;/a&gt; tainting: Fix missing call-steps in taint traces (semgrep/semgrep-proprietary...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/81a65de263260978efd9c75dfeac13d333587666&quot;&gt;&lt;code&gt;81a65de&lt;/code&gt;&lt;/a&gt; Add changelog entries for the gated loggedin fields (semgrep/semgrep-propriet...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/dc6f9b2971283110066b9703beabaed2f0936bc8&quot;&gt;&lt;code&gt;dc6f9b2&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2756&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Additional commits viewable in &lt;a href=&quot;https://github.com/returntocorp/semgrep/compare/v1.100.0...v1.101.0&quot;&gt;compare view&lt;/a&gt;&lt;/li&gt;
  &lt;/ul&gt;
  &lt;/details&gt;
  
  &lt;br /&gt;
  </code></pre>
  
  
  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
  
  [//]: # (dependabot-automerge-start)
  [//]: # (dependabot-automerge-end)
  
  ---
  
  <details>
  <summary>Dependabot commands and options</summary>
  <br />
  
  You can trigger Dependabot actions by commenting on this PR:
  - `@dependabot rebase` will rebase this PR
  - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
  - `@dependabot merge` will merge this PR after your CI passes on it
  - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
  - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
  - `@dependabot reopen` will reopen this PR if it is closed
  - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
  - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency
  - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions
  
  
  </details>
  

[dependabot]

Superseded by #2349.