Release preparation for version 2.13.3

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.6.2
+
+### Minor Analysis Improvements
+
+* Improved the queries for injection vulnerabilities in GitHub Actions workflows (`js/actions/command-injection` and `js/actions/pull-request-target`) and the associated library `semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in `actions/github-script`. It also detects simple injections from user controlled `${{ env.name }}`. Additionally to the `yml` extension now it also supports workflows with the `yaml` extension.
+
 ## 0.6.1
 
 ### Major Analysis Improvements

javascript/ql/lib/change-notes/released/0.6.2.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* Improved the queries for injection vulnerabilities in GitHub Actions workflows (`js/actions/command-injection` and `js/actions/pull-request-target`) and the associated library `semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in `actions/github-script`. It also detects simple injections from user controlled `${{ env.name }}`. Additionally to the `yml` extension now it also supports workflows with the `yaml` extension.
+## 0.6.2
+
+### Minor Analysis Improvements
+
+* Improved the queries for injection vulnerabilities in GitHub Actions workflows (`js/actions/command-injection` and `js/actions/pull-request-target`) and the associated library `semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in `actions/github-script`. It also detects simple injections from user controlled `${{ env.name }}`. Additionally to the `yml` extension now it also supports workflows with the `yaml` extension.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.1
+lastReleaseVersion: 0.6.2

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.6.2-dev
+version: 0.6.2
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 0.6.2
+
+### Major Analysis Improvements
+
+* Added taint sources from the `@actions/core` and `@actions/github` packages.
+* Added command-injection sinks from the `@actions/exec` package.
+
+### Minor Analysis Improvements
+
+* The `js/indirect-command-line-injection` query no longer flags command arguments that cannot be interpreted as a shell string.
+* The `js/unsafe-deserialization` query no longer flags deserialization through the `js-yaml` library, except
+  when it is used with an unsafe schema.
+* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
+  SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
+
+### Bug Fixes
+
+* Fixed a spurious diagnostic warning about comments in JSON files being illegal.
+  Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.
+
 ## 0.6.1
 
 ### Minor Analysis Improvements

javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
-  SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.

javascript/ql/src/change-notes/2023-04-26-unsafe-yaml-deserialization.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* The `js/unsafe-deserialization` query no longer flags deserialization through the `js-yaml` library, except
-  when it is used with an unsafe schema.

javascript/ql/src/change-notes/2023-04-28-json-with-comments.md

@@ -1,5 +0,0 @@
----
-category: fix
----
-* Fixed a spurious diagnostic warning about comments in JSON files being illegal.
-  Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.

javascript/ql/src/change-notes/2023-05-02-github-actions-sources.md

@@ -1,5 +0,0 @@
----
-category: majorAnalysis
----
-* Added taint sources from the `@actions/core` and `@actions/github` packages.
-* Added command-injection sinks from the `@actions/exec` package.

javascript/ql/src/change-notes/2023-05-17-indirect-shell.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `js/indirect-command-line-injection` query no longer flags command arguments that cannot be interpreted as a shell string.

javascript/ql/src/change-notes/released/0.6.2.md

@@ -0,0 +1,19 @@
+## 0.6.2
+
+### Major Analysis Improvements
+
+* Added taint sources from the `@actions/core` and `@actions/github` packages.
+* Added command-injection sinks from the `@actions/exec` package.
+
+### Minor Analysis Improvements
+
+* The `js/indirect-command-line-injection` query no longer flags command arguments that cannot be interpreted as a shell string.
+* The `js/unsafe-deserialization` query no longer flags deserialization through the `js-yaml` library, except
+  when it is used with an unsafe schema.
+* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
+  SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
+
+### Bug Fixes
+
+* Fixed a spurious diagnostic warning about comments in JSON files being illegal.
+  Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.1
+lastReleaseVersion: 0.6.2

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 0.6.2-dev
+version: 0.6.2
 groups: 
   - javascript
   - queries