mise: upgrade semgrep from 1.90.0 to 1.137.0

[devin-ai-integration]

Summary

Upgrades semgrep from 1.90.0 to 1.137.0 in mise.toml to fix the contracts-bedrock-checks CI failure that occurs whenever mise.toml is touched (even adding a comment).

Root cause: Semgrep 1.90.0 has a transitive dependency on opentelemetry-instrumentation, which imports pkg_resources from setuptools. Python 3.12 does not bundle setuptools in venvs by default. When the mise cache is invalidated (triggered by any mise.toml checksum change), a fresh pipx/uvx install of semgrep 1.90.0 fails with ModuleNotFoundError: No module named 'pkg_resources'. With a warm cache the old installation still has setuptools available, masking the issue.

This was reported upstream as semgrep/semgrep#11069. The OpenTelemetry packages were bumped in semgrep/semgrep#11180, and v1.137.0 is the first release confirmed to include the fix (per the issue thread).

Updates since last revision

• Bumped target version from 1.131.0 → 1.137.0. The initial 1.131.0 attempt still failed CI with the same pkg_resources error — the OpenTelemetry dependency bump had not yet landed in that release. Users in the upstream issue confirmed 1.137.0 as the first working version.

Review & Testing Checklist for Human

• Confirm CI's contracts-bedrock-checks semgrep step passes. This is the critical validation — local testing alone can't reproduce the cache-miss scenario that triggers the bug.
• Spot-check semgrep scan results: Verify no new or missing findings were introduced by the version bump (1.90.0 → 1.137.0 spans ~7 months of semgrep releases).
• Consider target version: 1.137.0 is the minimum fix version. If a newer version is preferred (latest is ~1.151.0), adjust accordingly.

Notes

• Link to Devin run
• Requested by @smartcontracts
• Reference failing CI job: contracts-bedrock-checks #4394798

Last update: 2026-02-10 22:37 ET

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.0%. Comparing base (db87881) to head (ed6c11a).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@            Coverage Diff             @@
##           develop   #19121     +/-   ##
==========================================
- Coverage     76.3%    76.0%   -0.4%     
==========================================
  Files          188      188             
  Lines        10946    10946             
==========================================
- Hits          8360     8327     -33     
- Misses        2440     2475     +35     
+ Partials       146      144      -2     

Flag	Coverage Δ
cannon-go-tests-64	66.4% <ø> (-0.9%)	⬇️
contracts-bedrock-tests	81.6% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.