Merge branch 'main' into patch-1

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 2.7.1
+
+No user-facing changes.
+
+## 2.7.0
+
+### New Features
+
+* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
+
 ## 2.6.28
 
 No user-facing changes.

javascript/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).

javascript/ql/lib/change-notes/2026-05-14-sensitive-data.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `js/clear-text-logging`) may find more correct results and fewer false positive results after these changes.

javascript/ql/lib/change-notes/released/2.7.0.md

@@ -1,4 +1,6 @@
----
-category: feature
----
+## 2.7.0
+
+### New Features
+
 * Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).

javascript/ql/lib/change-notes/released/2.7.1.md

@@ -0,0 +1,3 @@
+## 2.7.1
+
+No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.28
+lastReleaseVersion: 2.7.1

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.29-dev
+version: 2.7.2-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 2.3.10
+
+No user-facing changes.
+
+## 2.3.9
+
+No user-facing changes.
+
 ## 2.3.8
 
 ### Minor Analysis Improvements

javascript/ql/src/change-notes/released/2.3.10.md

@@ -0,0 +1,3 @@
+## 2.3.10
+
+No user-facing changes.

javascript/ql/src/change-notes/released/2.3.9.md

@@ -0,0 +1,3 @@
+## 2.3.9
+
+No user-facing changes.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.8
+lastReleaseVersion: 2.3.10

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.9-dev
+version: 2.3.11-dev
 groups:
   - javascript
   - queries