Release preparation for version 2.20.4

2025-12-16 16:53:25 +01:00 · 2025-02-03 15:19:35 +00:00
parent e39ad940a7
commit 573e53e454
173 changed files with 509 additions and 204 deletions
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.4.2
+
+### Bug Fixes
+
+* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
+
 ## 0.4.1

 No user-facing changes.
--- a/actions/ql/lib/change-notes/2025-01-20-bash.md
+++ b/actions/ql/lib/change-notes/2025-01-20-bash.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
--- a/actions/ql/lib/change-notes/2025-01-22-version.md
+++ b/actions/ql/lib/change-notes/2025-01-22-version.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
--- a/actions/ql/lib/change-notes/released/0.4.2.md
+++ b/actions/ql/lib/change-notes/released/0.4.2.md
@@ -0,0 +1,6 @@
+## 0.4.2
+
+### Bug Fixes
+
+* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.4.2
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.2-dev
+version: 0.4.2
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.2
+
+No user-facing changes.
+
 ## 0.4.1

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.4.2.md
+++ b/actions/ql/src/change-notes/released/0.4.2.md
@@ -0,0 +1,3 @@
+## 0.4.2
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.4.2
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.4.2-dev
+version: 0.4.2
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,15 @@
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
+
+### New Features
+
+* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
+* New classes `PreprocessorElifdef` and `PreprocessorElifndef` were introduced, which represents the C23/C++23 `#elifdef` and `#elifndef` preprocessor directives.
+* A new class `TypeLibraryImport` was introduced, which represents the `#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
+
 ## 3.2.0

 ### New Features
--- a/cpp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
+++ b/cpp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
--- a/cpp/ql/lib/change-notes/2025-01-30-getOffsetInClass.md
+++ b/cpp/ql/lib/change-notes/2025-01-30-getOffsetInClass.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
--- a/cpp/ql/lib/change-notes/2024-01-20-elifdef.md
+++ b/cpp/ql/lib/change-notes/2024-01-20-elifdef.md
@@ -1,5 +1,11 @@
---
-category: feature
---
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
+
+### New Features
+
+* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
 * New classes `PreprocessorElifdef` and `PreprocessorElifndef` were introduced, which represents the C23/C++23 `#elifdef` and `#elifndef` preprocessor directives.
 * A new class `TypeLibraryImport` was introduced, which represents the `#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 3.2.0
+lastReleaseVersion: 4.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 3.2.1-dev
+version: 4.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 1.3.3
+
+### Minor Analysis Improvements
+
+* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) now produces fewer FPs if the formatting function has multiple definitions.
+* The "Call to memory access function may overflow buffer" query (`cpp/overflow-buffer`) now produces fewer FPs involving non-static member variables.
+
 ## 1.3.2

 ### Minor Analysis Improvements
--- a/cpp/ql/src/change-notes/2025-01-28-overflow-buffer.md
+++ b/cpp/ql/src/change-notes/2025-01-28-overflow-buffer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The "Call to memory access function may overflow buffer" query (`cpp/overflow-buffer`) now produces fewer FPs involving non-static member variables.
--- a/cpp/ql/src/change-notes/2025-01-31-format-args.md
+++ b/cpp/ql/src/change-notes/2025-01-31-format-args.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) now produces fewer FPs if the formatting function has multiple definitions.
--- a/cpp/ql/src/change-notes/released/1.3.3.md
+++ b/cpp/ql/src/change-notes/released/1.3.3.md
@@ -0,0 +1,6 @@
+## 1.3.3
+
+### Minor Analysis Improvements
+
+* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) now produces fewer FPs if the formatting function has multiple definitions.
+* The "Call to memory access function may overflow buffer" query (`cpp/overflow-buffer`) now produces fewer FPs involving non-static member variables.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.3-dev
+version: 1.3.3
 groups:
  - cpp
  - queries
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.33
+
+No user-facing changes.
+
 ## 1.7.32

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.33.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.33.md
@@ -0,0 +1,3 @@
+## 1.7.33
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.32
+lastReleaseVersion: 1.7.33
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.33-dev
+version: 1.7.33
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.33
+
+No user-facing changes.
+
 ## 1.7.32

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.33.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.33.md
@@ -0,0 +1,3 @@
+## 1.7.33
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.32
+lastReleaseVersion: 1.7.33
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.33-dev
+version: 1.7.33
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,16 @@
+## 5.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getInstanceType` predicate from the `UnboundGenericType` class.
+* Deleted the deprecated `getElement` predicate from the `Node` class in `ControlFlowGraph.qll`, use `getAstNode` instead.
+
+### Minor Analysis Improvements
+
+C# 13: Added MaD models for some overload implementations using `ReadOnlySpan` parameters (like `String.Format(System.String, System.ReadOnlySpan<System.Object>))`).
+* C# 13: Added support for the overload resolution priority attribute (`OverloadResolutionPriority`). Usages of the attribute and the corresponding priority can be found using the QL class `SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute`.
+* C# 13: Added support for partial properties and indexers.
+
 ## 4.0.2

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2025-01-22-partial-members.md
+++ b/csharp/ql/lib/change-notes/2025-01-22-partial-members.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C# 13: Added support for partial properties and indexers.
--- a/csharp/ql/lib/change-notes/2025-01-23-overload-resolution-priority.md
+++ b/csharp/ql/lib/change-notes/2025-01-23-overload-resolution-priority.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C# 13: Added support for the overload resolution priority attribute (`OverloadResolutionPriority`). Usages of the attribute and the corresponding priority can be found using the QL class `SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute`.
--- a/csharp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
+++ b/csharp/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
@@ -1,5 +0,0 @@
---
-category: breaking
---
-* Deleted the deprecated `getInstanceType` predicate from the `UnboundGenericType` class.
-* Deleted the deprecated `getElement` predicate from the `Node` class in `ControlFlowGraph.qll`, use `getAstNode` instead.
--- a/csharp/ql/lib/change-notes/2025-01-29-params-models.md
+++ b/csharp/ql/lib/change-notes/2025-01-29-params-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-C# 13: Added MaD models for some overload implementations using `ReadOnlySpan` parameters (like `String.Format(System.String, System.ReadOnlySpan<System.Object>))`).
--- a/csharp/ql/lib/change-notes/released/5.0.0.md
+++ b/csharp/ql/lib/change-notes/released/5.0.0.md
@@ -0,0 +1,12 @@
+## 5.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getInstanceType` predicate from the `UnboundGenericType` class.
+* Deleted the deprecated `getElement` predicate from the `Node` class in `ControlFlowGraph.qll`, use `getAstNode` instead.
+
+### Minor Analysis Improvements
+
+C# 13: Added MaD models for some overload implementations using `ReadOnlySpan` parameters (like `String.Format(System.String, System.ReadOnlySpan<System.Object>))`).
+* C# 13: Added support for the overload resolution priority attribute (`OverloadResolutionPriority`). Usages of the attribute and the corresponding priority can be found using the QL class `SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute`.
+* C# 13: Added support for partial properties and indexers.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.2
+lastReleaseVersion: 5.0.0
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 4.0.3-dev
+version: 5.0.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.0.16
+
+### Minor Analysis Improvements
+
+* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
+
 ## 1.0.15

 No user-facing changes.
--- a/java/ql/src/change-notes/2024-12-17-experimental-queries.md
+++ b/java/ql/src/change-notes/2024-12-17-experimental-queries.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 1.0.16
+
+### Minor Analysis Improvements
+
 * All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.15
+lastReleaseVersion: 1.0.16
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.0.16-dev
+version: 1.0.16
 groups:
  - csharp
  - queries
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.16
+
+No user-facing changes.
+
 ## 1.0.15

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.16.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.16.md
@@ -0,0 +1,3 @@
+## 1.0.16
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.15
+lastReleaseVersion: 1.0.16
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.16-dev
+version: 1.0.16
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,16 @@
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `describeBitSize` predicate from `IncorrectIntegerConversionLib.qll`
+
+### Minor Analysis Improvements
+
+* Models-as-data models using "Parameter", "Parameter[n]" or "Parameter[n1..n2]" as the output now work correctly.
+* By implementing `ImplicitFieldReadNode` it is now possible to declare a dataflow node that reads any content (fields, array members, map keys and values). For example, this is appropriate for modelling a serialization method that flattens a potentially deep data structure into a string or byte array.
+* The `Template.Execute[Template]` methods of the `text/template` package now correctly convey taint from any nested fields to their result. This may produce more results from any taint-tracking query when the `text/template` package is in use.
+* Added the [rs cors](https://github.com/rs/cors) library to the CorsMisconfiguration.ql query
+
 ## 3.0.2

 ### Minor Analysis Improvements
--- a/go/ql/lib/change-notes/2023-10-31-add-rs-cors-framework.md
+++ b/go/ql/lib/change-notes/2023-10-31-add-rs-cors-framework.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added the [rs cors](https://github.com/rs/cors) library to the CorsMisconfiguration.ql query
--- a/go/ql/lib/change-notes/2025-01-22-fix-parameter-in-models.md
+++ b/go/ql/lib/change-notes/2025-01-22-fix-parameter-in-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Models-as-data models using "Parameter", "Parameter[n]" or "Parameter[n1..n2]" as the output now work correctly.
--- a/go/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
+++ b/go/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* Deleted the deprecated `describeBitSize` predicate from `IncorrectIntegerConversionLib.qll`
--- a/go/ql/lib/change-notes/2024-12-16-any-content-readers.md
+++ b/go/ql/lib/change-notes/2024-12-16-any-content-readers.md
@@ -1,5 +1,12 @@
---
-category: minorAnalysis
---
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `describeBitSize` predicate from `IncorrectIntegerConversionLib.qll`
+
+### Minor Analysis Improvements
+
+* Models-as-data models using "Parameter", "Parameter[n]" or "Parameter[n1..n2]" as the output now work correctly.
 * By implementing `ImplicitFieldReadNode` it is now possible to declare a dataflow node that reads any content (fields, array members, map keys and values). For example, this is appropriate for modelling a serialization method that flattens a potentially deep data structure into a string or byte array.
 * The `Template.Execute[Template]` methods of the `text/template` package now correctly convey taint from any nested fields to their result. This may produce more results from any taint-tracking query when the `text/template` package is in use.
+* Added the [rs cors](https://github.com/rs/cors) library to the CorsMisconfiguration.ql query
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 3.0.2
+lastReleaseVersion: 4.0.0
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 3.0.3-dev
+version: 4.0.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.1.7
+
+No user-facing changes.
+
 ## 1.1.6

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.1.7.md
+++ b/go/ql/src/change-notes/released/1.1.7.md
@@ -0,0 +1,3 @@
+## 1.1.7
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.6
+lastReleaseVersion: 1.1.7
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.1.7-dev
+version: 1.1.7
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,19 @@
+## 7.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead.
+* Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead.
+* Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead.
+* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead.
+* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead.
+* Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead.
+* Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead.
+
+### Minor Analysis Improvements
+
+* We now allow classes which don't have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.
+
 ## 6.1.0

 ### New Features
--- a/java/ql/lib/change-notes/2025-01-07-jax-rs-annotation-inheritance.md
+++ b/java/ql/lib/change-notes/2025-01-07-jax-rs-annotation-inheritance.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* We now allow classes which don't have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.
--- a/java/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
+++ b/java/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
@@ -1,6 +1,7 @@
---
-category: breaking
---
+## 7.0.0
+
+### Breaking Changes
+
 * Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead.
 * Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead.
 * Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead.
@@ -9,3 +10,6 @@ category: breaking
 * Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead.
 * Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead.

+### Minor Analysis Improvements
+
+* We now allow classes which don't have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.0
+lastReleaseVersion: 7.0.0
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 6.1.1-dev
+version: 7.0.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.1.13
+
+### Minor Analysis Improvements
+
+* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
+
 ## 1.1.12

 ### Bug Fixes
--- a/csharp/ql/src/change-notes/2024-11-05-experimental-queries.md
+++ b/csharp/ql/src/change-notes/2024-11-05-experimental-queries.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 1.1.13
+
+### Minor Analysis Improvements
+
 * All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.12
+lastReleaseVersion: 1.1.13
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.1.13-dev
+version: 1.1.13
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 2.4.0
+
+### Major Analysis Improvements
+
+* Added new XSS sink where `innerHTML` or `outerHTML` is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter
+
 ## 2.3.0

 ### Deprecated APIs
--- a/javascript/ql/lib/change-notes/2025-01-03-angular-source-sink.md
+++ b/javascript/ql/lib/change-notes/2025-01-03-angular-source-sink.md
@@ -1,4 +1,5 @@
---
-category: majorAnalysis
---
+## 2.4.0
+
+### Major Analysis Improvements
+
 * Added new XSS sink where `innerHTML` or `outerHTML` is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.0
+lastReleaseVersion: 2.4.0
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.3.1-dev
+version: 2.4.0
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,23 @@
+## 1.4.0
+
+### Major Analysis Improvements
+
+* Improved support for NestJS applications that make use of dependency injection with custom providers.
+  Calls to methods on an injected service should now be resolved properly.
+* TypeScript extraction is now better at analyzing projects where the main `tsconfig.json` file does not include any
+  source files, but references other `tsconfig.json`-like files that do include source files.
+* The `js/incorrect-suffix-check` query now recognises some good patterns of the form `origin.indexOf("." + allowedOrigin)` that were previously falsely flagged.
+* Added a new threat model kind called `view-component-input`, which can enabled with [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
+  When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value.
+  Some users may prefer this as a "defense in depth" option but note that it may result in false positives.
+  Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.
+
+### Bug Fixes
+
+* Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a `.vue` file,
+  but where it could not be associated with any `tsconfig.json` file. Previously the embedded code was not
+  extracted in this case, but should now be extracted properly.
+
 ## 1.3.0

 ### Major Analysis Improvements
--- a/javascript/ql/src/change-notes/2025-01-21-vue-ts-notsconfig.md
+++ b/javascript/ql/src/change-notes/2025-01-21-vue-ts-notsconfig.md
@@ -1,6 +0,0 @@
---
-category: fix
---
-* Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a `.vue` file,
-  but where it could not be associated with any `tsconfig.json` file. Previously the embedded code was not
-  extracted in this case, but should now be extracted properly.
--- a/javascript/ql/src/change-notes/2025-01-22-indexof-suffix-check.md
+++ b/javascript/ql/src/change-notes/2025-01-22-indexof-suffix-check.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* The `js/incorrect-suffix-check` query now recognises some good patterns of the form `origin.indexOf("." + allowedOrigin)` that were previously falsely flagged.
--- a/javascript/ql/src/change-notes/2025-01-22-view-component-inputs.md
+++ b/javascript/ql/src/change-notes/2025-01-22-view-component-inputs.md
@@ -1,7 +0,0 @@
---
-category: majorAnalysis
---
-* Added a new threat model kind called `view-component-input`, which can enabled with [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
-  When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value.
-  Some users may prefer this as a "defense in depth" option but note that it may result in false positives.
-  Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.
--- a/javascript/ql/src/change-notes/2025-01-30-nest-di.md
+++ b/javascript/ql/src/change-notes/2025-01-30-nest-di.md
@@ -1,5 +0,0 @@
---
-category: majorAnalysis
---
-* Improved support for NestJS applications that make use of dependency injection with custom providers.
-  Calls to methods on an injected service should now be resolved properly.
--- a/javascript/ql/src/change-notes/2025-01-30-typescript-tsconfig-names.md
+++ b/javascript/ql/src/change-notes/2025-01-30-typescript-tsconfig-names.md
@@ -1,5 +0,0 @@
---
-category: majorAnalysis
---
-* TypeScript extraction is now better at analyzing projects where the main `tsconfig.json` file does not include any
-  source files, but references other `tsconfig.json`-like files that do include source files.
--- a/javascript/ql/src/change-notes/released/1.4.0.md
+++ b/javascript/ql/src/change-notes/released/1.4.0.md
@@ -0,0 +1,19 @@
+## 1.4.0
+
+### Major Analysis Improvements
+
+* Improved support for NestJS applications that make use of dependency injection with custom providers.
+  Calls to methods on an injected service should now be resolved properly.
+* TypeScript extraction is now better at analyzing projects where the main `tsconfig.json` file does not include any
+  source files, but references other `tsconfig.json`-like files that do include source files.
+* The `js/incorrect-suffix-check` query now recognises some good patterns of the form `origin.indexOf("." + allowedOrigin)` that were previously falsely flagged.
+* Added a new threat model kind called `view-component-input`, which can enabled with [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
+  When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value.
+  Some users may prefer this as a "defense in depth" option but note that it may result in false positives.
+  Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.
+
+### Bug Fixes
+
+* Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a `.vue` file,
+  but where it could not be associated with any `tsconfig.json` file. Previously the embedded code was not
+  extracted in this case, but should now be extracted properly.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.0
+lastReleaseVersion: 1.4.0
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.3.1-dev
+version: 1.4.0
 groups:
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.16
+
+No user-facing changes.
+
 ## 1.0.15

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/1.0.16.md
+++ b/misc/suite-helpers/change-notes/released/1.0.16.md
@@ -0,0 +1,3 @@
+## 1.0.16
+
+No user-facing changes.
--- a/misc/suite-helpers/codeql-pack.release.yml
+++ b/misc/suite-helpers/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.15
+lastReleaseVersion: 1.0.16
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.16-dev
+version: 1.0.16
 groups: shared
 warnOnImplicitThis: true
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,15 @@
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the old deprecated TypeTracking library.
+* Deleted the deprecated `classRef` predicate from the `FieldStorage` module, use `subclassRef` instead.
+* Deleted a lot of deprecated modules and predicates from `Stdlib.qll`, use API-graphs directly instead.
+
+### Minor Analysis Improvements
+
+* Additional data flow models for the builtin functions `map`, `filter`, `zip`, and `enumerate` have been added.
+
 ## 3.1.1

 ### Minor Analysis Improvements
--- a/python/ql/lib/change-notes/2025-01-15-builtin-model.md
+++ b/python/ql/lib/change-notes/2025-01-15-builtin-model.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Additional data flow models for the builtin functions `map`, `filter`, `zip`, and `enumerate` have been added.
--- a/python/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
+++ b/python/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
@@ -1,6 +1,11 @@
---
-category: breaking
---
+## 4.0.0
+
+### Breaking Changes
+
 * Deleted the old deprecated TypeTracking library.
 * Deleted the deprecated `classRef` predicate from the `FieldStorage` module, use `subclassRef` instead.
 * Deleted a lot of deprecated modules and predicates from `Stdlib.qll`, use API-graphs directly instead.
+
+### Minor Analysis Improvements
+
+* Additional data flow models for the builtin functions `map`, `filter`, `zip`, and `enumerate` have been added.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 3.1.1
+lastReleaseVersion: 4.0.0
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 3.1.2-dev
+version: 4.0.0
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.2
+
+No user-facing changes.
+
 ## 1.4.1

 No user-facing changes.
--- a/python/ql/src/change-notes/released/1.4.2.md
+++ b/python/ql/src/change-notes/released/1.4.2.md
@@ -0,0 +1,3 @@
+## 1.4.2
+
+No user-facing changes.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.1
+lastReleaseVersion: 1.4.2
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.4.2-dev
+version: 1.4.2
 groups:
  - python
  - queries
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,22 @@
+## 4.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `getCallNode` predicate from `API::Node`, use `asCall()` instead.
+* Deleted the deprecated `getASubclass`, `getAnImmediateSubclass`, `getASuccessor`, `getAPredecessor`, `getASuccessor`, `getDepth`, and `getPath` predicates from `API::Node`. 
+* Deleted the deprecated `Root`, `Use`, and `Def` classes from `ApiGraphs.qll`.
+* Deleted the deprecated `Label` module from `ApiGraphs.qll`.
+* Deleted the deprecated `getAUse`, `getAnImmediateUse`, `getARhs`, and `getAValueReachingRhs` predicates from `API::Node`, use `getAValueReachableFromSource`, `asSource`, `asSink`, and `getAValueReachingSink` instead.
+* Deleted the deprecated `getAVariable` predicate from the `ExprNode` class, use `getVariable` instead.
+* Deleted the deprecated `getAPotentialFieldAccessMethod` predicate from the `ActiveRecordModelClass` class.
+* Deleted the deprecated `ActiveRecordModelClassMethodCall` class from `ActiveRecord.qll`, use `ActiveRecordModelClass.getClassNode().trackModule().getMethod()` instead.
+* Deleted the deprecated `PotentiallyUnsafeSqlExecutingMethodCall` class from `ActiveRecord.qll`, use the `SqlExecution` concept instead.
+* Deleted the deprecated `ModelClass` and `ModelInstance` classes from `ActiveResource.qll`, use `ModelClassNode` and `ModelClassNode.getAnInstanceReference()` instead.
+* Deleted the deprecated `Collection` class from `ActiveResource.qll`, use `CollectionSource` instead.
+* Deleted the deprecated `ServiceInstantiation` and `ClientInstantiation` classes from `Twirp.qll`.
+* Deleted a lot of deprecated dataflow modules from "*Query.qll" files.
+* Deleted the old deprecated TypeTracking library.
+
 ## 3.0.2

 ### Minor Analysis Improvements
--- a/ruby/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
+++ b/ruby/ql/lib/change-notes/2025-01-27-outdated-deprecations.md
@@ -1,6 +1,7 @@
---
-category: breaking
---
+## 4.0.0
+
+### Breaking Changes
+
 * Deleted the deprecated `getCallNode` predicate from `API::Node`, use `asCall()` instead.
 * Deleted the deprecated `getASubclass`, `getAnImmediateSubclass`, `getASuccessor`, `getAPredecessor`, `getASuccessor`, `getDepth`, and `getPath` predicates from `API::Node`. 
 * Deleted the deprecated `Root`, `Use`, and `Def` classes from `ApiGraphs.qll`.
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 3.0.2
+lastReleaseVersion: 4.0.0
--- a/ruby/ql/lib/qlpack.yml
+++ b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 3.0.3-dev
+version: 4.0.0
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
--- a/ruby/ql/src/CHANGELOG.md
+++ b/ruby/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.1.11
+
+No user-facing changes.
+
 ## 1.1.10

 No user-facing changes.
--- a/ruby/ql/src/change-notes/released/1.1.11.md
+++ b/ruby/ql/src/change-notes/released/1.1.11.md
@@ -0,0 +1,3 @@
+## 1.1.11
+
+No user-facing changes.
--- a/ruby/ql/src/codeql-pack.release.yml
+++ b/ruby/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.10
+lastReleaseVersion: 1.1.11
--- a/ruby/ql/src/qlpack.yml
+++ b/ruby/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 1.1.11-dev
+version: 1.1.11
 groups:
  - ruby
  - queries
--- a/Show More
+++ b/Show More