semgrep 0.123.0 on Python PyPI

0.123.0 - 2022-11-29

Reachable Supply Chain findings will no longer block pull requests when using semgrep ci.
Note that unreachable findings have been non-blocking already. (sca-nonblocking)

Fix matching issue related to JS imports with multiple imported values (gh-5305)
DeepSemgrep: Keep only the shortest trace originating from a taint source. This
also prevents falling into infinite loops when inferring taint signatures for
mutually recursive procedures. (pa-2224)
taint-mode: Improved taint tracking for array-like accesses. Previously, if
x.a.b[i].c got tainted, Semgrep would track x.a.b as tainted, and thus
x.a.b[i].d would be incorrectly considered as tainted too. Now Semgrep will
do the right thing and track x.a.b[*].c as tainted, and x.a.b[i].d will
not be considered tainted. (pa-2225)
Java: private, singly-assigned class variables now permit constant propagation (pa-2230)
JS/TS: Allow dependencies to @Injectable and @component classes in Angular JS to be visible outside the scope of the constructor. (pa-2233)
Fix matching issue related to Python imports with multiple imported values (python-imports)
Supply Chain findings from a yarn.lock lockfile were marked as 'transitive'
when we couldn't find the matching package.json file.
These findings will now be marked as having 'unknown' transitivity. (sc-425)
Make $X(...) match this() and super(). (this-match)