Merge branch 'main' into js/name-resolution-independent-fixes

2026-04-25 16:55:19 +02:00 · 2025-04-02 14:15:44 +02:00
parent 2c40359143 f461763938
commit 6c3bc941c5
778 changed files with 26643 additions and 8489 deletions
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 1.5.2
+
+### Bug Fixes
+
+* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
+  from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
+  attribute is once again functioning as a sink for the `js/xss` query.
+* Fixed a bug that would in rare cases cause some regexp-based checks
+  to be seen as generic taint sanitisers, even though the underlying regexp
+  is not restrictive enough. The regexps are now analysed more precisely,
+  and unrestrictive regexp checks will no longer block taint flow.
+* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
+  valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
+
 ## 1.5.1

 No user-facing changes.
--- a/javascript/ql/src/change-notes/2025-02-21-test-suite.md
+++ b/javascript/ql/src/change-notes/2025-02-21-test-suite.md
@@ -1,5 +0,0 @@
---
-category: fix
---
-* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
-  valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
--- a/javascript/ql/src/change-notes/2025-02-28-membership-regexp-test.md
+++ b/javascript/ql/src/change-notes/2025-02-28-membership-regexp-test.md
@@ -1,7 +0,0 @@
---
-category: fix
---
-* Fixed a bug that would in rare cases cause some regexp-based checks
-  to be seen as generic taint sanitisers, even though the underlying regexp
-  is not restrictive enough. The regexps are now analysed more precisely,
-  and unrestrictive regexp checks will no longer block taint flow.
--- a/javascript/ql/src/change-notes/2025-03-11-vue-fix.md
+++ b/javascript/ql/src/change-notes/2025-03-11-vue-fix.md
@@ -1,6 +0,0 @@
---
-category: fix
---
-* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
-  from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
-  attribute is once again functioning as a sink for the `js/xss` query.
--- a/javascript/ql/src/change-notes/released/1.5.2.md
+++ b/javascript/ql/src/change-notes/released/1.5.2.md
@@ -0,0 +1,13 @@
+## 1.5.2
+
+### Bug Fixes
+
+* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
+  from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
+  attribute is once again functioning as a sink for the `js/xss` query.
+* Fixed a bug that would in rare cases cause some regexp-based checks
+  to be seen as generic taint sanitisers, even though the underlying regexp
+  is not restrictive enough. The regexps are now analysed more precisely,
+  and unrestrictive regexp checks will no longer block taint flow.
+* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
+  valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.1
+lastReleaseVersion: 1.5.2
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.5.2-dev
+version: 1.5.3-dev
 groups:
  - javascript
  - queries