Merge pull request #10565 from github/post-release-prep/codeql-cli-2.11.0

Post-release preparation for codeql-cli-2.11.0
2026-04-28 18:25:24 +02:00 · 2022-09-23 18:13:59 -04:00
parent 79c0178a7c 6cef0af5df
commit 3bd456e52d
129 changed files with 555 additions and 293 deletions
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,75 @@
+## 0.3.0
+
+### Breaking Changes
+
+* Many library models have been rewritten to use dataflow nodes instead of the AST.
+  The types of some classes have been changed, and these changes may break existing code.
+  Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
+
+* The basetype of the following list of classes has changed from an expression to a dataflow node, and thus code using these classes might break. 
+  The fix to these breakages is usually to use `asExpr()` to get an expression from a dataflow node, or to use `.flow()` to get a dataflow node from an expression.  
+   - DOM.qll#WebStorageWrite
+   - CryptoLibraries.qll#CryptographicOperation
+   - Express.qll#Express::RequestBodyAccess
+   - HTTP.qll#HTTP::ResponseBody
+   - HTTP.qll#HTTP::CookieDefinition
+   - HTTP.qll#HTTP::ServerDefinition
+   - HTTP.qll#HTTP::RouteSetup
+   - NoSQL.qll#NoSql::Query
+   - SQL.qll#SQL::SqlString
+   - SQL.qll#SQL::SqlSanitizer
+   - HTTP.qll#ResponseBody
+   - HTTP.qll#CookieDefinition
+   - HTTP.qll#ServerDefinition
+   - HTTP.qll#RouteSetup
+   - HTTP.qll#HTTP::RedirectInvocation
+   - HTTP.qll#RedirectInvocation
+   - Express.qll#Express::RouterDefinition
+   - AngularJSCore.qll#LinkFunction
+   - Connect.qll#Connect::StandardRouteHandler
+   - CryptoLibraries.qll#CryptographicKeyCredentialsExpr
+   - AWS.qll#AWS::Credentials
+   - Azure.qll#Azure::Credentials
+   - Connect.qll#Connect::Credentials
+   - DigitalOcean.qll#DigitalOcean::Credentials
+   - Express.qll#Express::Credentials
+   - NodeJSLib.qll#NodeJSLib::Credentials
+   - PkgCloud.qll#PkgCloud::Credentials
+   - Request.qll#Request::Credentials
+   - ServiceDefinitions.qll#InjectableFunctionServiceRequest
+   - SensitiveActions.qll#SensitiveVariableAccess
+   - SensitiveActions.qll#CleartextPasswordExpr
+   - Connect.qll#Connect::ServerDefinition
+   - Restify.qll#Restify::ServerDefinition
+   - Connect.qll#Connect::RouteSetup
+   - Express.qll#Express::RouteSetup
+   - Fastify.qll#Fastify::RouteSetup
+   - Hapi.qll#Hapi::RouteSetup
+   - Koa.qll#Koa::RouteSetup
+   - Restify.qll#Restify::RouteSetup
+   - NodeJSLib.qll#NodeJSLib::RouteSetup
+   - Express.qll#Express::StandardRouteHandler
+   - Express.qll#Express::SetCookie
+   - Hapi.qll#Hapi::RouteHandler
+   - HTTP.qll#HTTP::Servers::StandardHeaderDefinition
+   - HTTP.qll#Servers::StandardHeaderDefinition
+   - Hapi.qll#Hapi::ServerDefinition
+   - Koa.qll#Koa::AppDefinition
+   - SensitiveActions.qll#SensitiveCall
+
+### Deprecated APIs
+
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### Major Analysis Improvements
+
+* Added support for TypeScript 4.8.
+
+### Minor Analysis Improvements
+
+* A model for the `mermaid` library has been added. XSS queries can now detect flow through the `render` method of the `mermaid` library. 
+
 ## 0.2.5

 ## 0.2.4
--- a/javascript/ql/lib/change-notes/2022-05-24-typescript-4-8.md
+++ b/javascript/ql/lib/change-notes/2022-05-24-typescript-4-8.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* Added support for TypeScript 4.8.
--- a/javascript/ql/lib/change-notes/2022-08-09-mermaid.md
+++ b/javascript/ql/lib/change-notes/2022-08-09-mermaid.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A model for the `mermaid` library has been added. XSS queries can now detect flow through the `render` method of the `mermaid` library. 
--- a/javascript/ql/lib/change-notes/2022-09-12-uppercase.md
+++ b/javascript/ql/lib/change-notes/2022-09-12-uppercase.md
@@ -1,5 +0,0 @@
---
-category: deprecated
---
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
--- a/javascript/ql/lib/change-notes/2022-04-04-dataflow-models.md
+++ b/javascript/ql/lib/change-notes/2022-04-04-dataflow-models.md
@@ -1,6 +1,7 @@
---
-category: breaking
---
+## 0.3.0
+
+### Breaking Changes
+
 * Many library models have been rewritten to use dataflow nodes instead of the AST.
  The types of some classes have been changed, and these changes may break existing code.
  Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
@@ -54,4 +55,17 @@ category: breaking
   - HTTP.qll#Servers::StandardHeaderDefinition
   - Hapi.qll#Hapi::ServerDefinition
   - Koa.qll#Koa::AppDefinition
-   - SensitiveActions.qll#SensitiveCall
+   - SensitiveActions.qll#SensitiveCall
+
+### Deprecated APIs
+
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### Major Analysis Improvements
+
+* Added support for TypeScript 4.8.
+
+### Minor Analysis Improvements
+
+* A model for the `mermaid` library has been added. XSS queries can now detect flow through the `render` method of the `mermaid` library. 
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.5
+lastReleaseVersion: 0.3.0
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.3.0-dev
+version: 0.3.1-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 0.4.0
+
+### Minor Analysis Improvements
+
+* Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.
+- The `js/regexp/always-matches` query will no longer report an empty regular expression as always
+  matching, as this is often the intended behavior.
+* The alert message of many queries have been changed to make the message consistent with other languages.
+
+### Bug Fixes
+
+- Fixed a bug in the `js/type-confusion-through-parameter-tampering` query that would cause it to ignore
+  sanitizers in branching conditions. The query should now report fewer false positives.
+
 ## 0.3.4

 ## 0.3.3
--- a/javascript/ql/src/change-notes/2022-08-23-alert-messages.md
+++ b/javascript/ql/src/change-notes/2022-08-23-alert-messages.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The alert message of many queries have been changed to make the message consistent with other languages.
--- a/javascript/ql/src/change-notes/2022-09-07-type-confusion-bugfix.md
+++ b/javascript/ql/src/change-notes/2022-09-07-type-confusion-bugfix.md
@@ -1,6 +0,0 @@
---
-category: fix
---
-
- Fixed a bug in the `js/type-confusion-through-parameter-tampering` query that would cause it to ignore
-  sanitizers in branching conditions. The query should now report fewer false positives.
--- a/javascript/ql/src/change-notes/2022-09-13-regexp-always-matches-fp.md
+++ b/javascript/ql/src/change-notes/2022-09-13-regexp-always-matches-fp.md
@@ -1,6 +0,0 @@
---
-category: minorAnalysis
---
-
- The `js/regexp/always-matches` query will no longer report an empty regular expression as always
-  matching, as this is often the intended behavior.
--- a/javascript/ql/src/change-notes/2022-09-22-plain-parsing.md
+++ b/javascript/ql/src/change-notes/2022-09-22-plain-parsing.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.
--- a/javascript/ql/src/change-notes/released/0.4.0.md
+++ b/javascript/ql/src/change-notes/released/0.4.0.md
@@ -0,0 +1,13 @@
+## 0.4.0
+
+### Minor Analysis Improvements
+
+* Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.
+- The `js/regexp/always-matches` query will no longer report an empty regular expression as always
+  matching, as this is often the intended behavior.
+* The alert message of many queries have been changed to make the message consistent with other languages.
+
+### Bug Fixes
+
+- Fixed a bug in the `js/type-confusion-through-parameter-tampering` query that would cause it to ignore
+  sanitizers in branching conditions. The query should now report fewer false positives.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.4
+lastReleaseVersion: 0.4.0
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 0.4.0-dev
+version: 0.4.1-dev
 groups: 
  - javascript
  - queries