Merge pull request #20635 from github/release-prep/2.23.3

Release preparation for version 2.23.3
2025-12-16 16:53:25 +01:00 · 2025-10-14 11:17:48 +01:00
parent ab78f2b724 17352a101d
commit 836e3958a9
180 changed files with 450 additions and 154 deletions
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.19
+
+No user-facing changes.
+
 ## 0.4.18

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.19.md
+++ b/actions/ql/lib/change-notes/released/0.4.19.md
@@ -0,0 +1,3 @@
+## 0.4.19
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.18
+lastReleaseVersion: 0.4.19
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.19-dev
+version: 0.4.19
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.11
+
+No user-facing changes.
+
 ## 0.6.10

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.11.md
+++ b/actions/ql/src/change-notes/released/0.6.11.md
@@ -0,0 +1,3 @@
+## 0.6.11
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.10
+lastReleaseVersion: 0.6.11
--- a/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+++ b/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
@@ -19,5 +19,5 @@ import SecretExfiltrationFlow::PathGraph
 from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink
 where SecretExfiltrationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.",
+  "Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource.",
  sink, sink.getNode().asExpr().(Expression).getRawExpression()
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.11-dev
+version: 0.6.11
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
+
+### New Features
+
+* C/C++ `build-mode: none` support is now generally available.
+
 ## 5.6.1

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2025-10-07-bmn-ga.md
+++ b/cpp/ql/lib/change-notes/2025-10-07-bmn-ga.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* The C/C++ "build-mode: none" support is now General Availability (GA).
--- a/cpp/ql/lib/change-notes/2025-09-18-guards.md
+++ b/cpp/ql/lib/change-notes/2025-09-18-guards.md
@@ -1,4 +1,9 @@
---
-category: breaking
---
-* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
+## 6.0.0
+
+### Breaking Changes
+
+* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
+
+### New Features
+
+* C/C++ `build-mode: none` support is now generally available.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.6.1
+lastReleaseVersion: 6.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.6.2-dev
+version: 6.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.2
+
+No user-facing changes.
+
 ## 1.5.1

 No user-facing changes.
--- a/cpp/ql/src/change-notes/released/1.5.2.md
+++ b/cpp/ql/src/change-notes/released/1.5.2.md
@@ -0,0 +1,3 @@
+## 1.5.2
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.1
+lastReleaseVersion: 1.5.2
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.2-dev
+version: 1.5.2
 groups:
  - cpp
  - queries
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.50
+
+No user-facing changes.
+
 ## 1.7.49

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.50.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.50.md
@@ -0,0 +1,3 @@
+## 1.7.50
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.49
+lastReleaseVersion: 1.7.50
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.50-dev
+version: 1.7.50
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.50
+
+No user-facing changes.
+
 ## 1.7.49

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.50.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.50.md
@@ -0,0 +1,3 @@
+## 1.7.50
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.49
+lastReleaseVersion: 1.7.50
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.50-dev
+version: 1.7.50
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 5.2.6
+
+### Minor Analysis Improvements
+
+* The extraction of location information for parameters, fields, constructors, destructors and user operators has been optimized. Previously, location information was extracted multiple times for each bound generic. Now, only the location of the unbound generic declaration is extracted during the extraction phase, and the QL library explicitly reuses this location for all bound instances of the same generic.
+* The extraction of location information for type parameters and tuples types has been optimized. Previously, location information was extracted multiple times for each type when it was declared across multiple files. Now, the extraction context is respected during the extraction phase, ensuring locations are only extracted within the appropriate context. This change should be transparent to end-users but may improve extraction performance in some cases.
+* The extraction of location information for named types (classes, structs, etc.) has been optimized. Previously, location information was extracted multiple times for each type when it was declared across multiple files. Now, the extraction context is respected during the extraction phase, ensuring locations are only extracted within the appropriate context. This change should be transparent to end-users but may improve extraction performance in some cases.
+* The extraction of the location for bound generic entities (methods, accessors, indexers, properties, and events) has been optimized. Previously, location information was extracted multiple times for each bound generic. Now, only the location of the unbound generic declaration is extracted during the extraction phase, and the QL library explicitly reuses this location for all bound instances of the same generic.
+
 ## 5.2.5

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2025-10-02-entity-locations.md
+++ b/csharp/ql/lib/change-notes/2025-10-02-entity-locations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The extraction of the location for bound generic entities (methods, accessors, indexers, properties, and events) has been optimized. Previously, location information was extracted multiple times for each bound generic. Now, only the location of the unbound generic declaration is extracted during the extraction phase, and the QL library explicitly reuses this location for all bound instances of the same generic.
--- a/csharp/ql/lib/change-notes/2025-10-07-entity-locations.md
+++ b/csharp/ql/lib/change-notes/2025-10-07-entity-locations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The extraction of location information for named types (classes, structs, etc.) has been optimized. Previously, location information was extracted multiple times for each type when it was declared across multiple files. Now, the extraction context is respected during the extraction phase, ensuring locations are only extracted within the appropriate context. This change should be transparent to end-users but may improve extraction performance in some cases.
--- a/csharp/ql/lib/change-notes/2025-10-08-entity-locations.md
+++ b/csharp/ql/lib/change-notes/2025-10-08-entity-locations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The extraction of location information for type parameters and tuples types has been optimized. Previously, location information was extracted multiple times for each type when it was declared across multiple files. Now, the extraction context is respected during the extraction phase, ensuring locations are only extracted within the appropriate context. This change should be transparent to end-users but may improve extraction performance in some cases.
--- a/csharp/ql/lib/change-notes/2025-10-10-entity-locations.md
+++ b/csharp/ql/lib/change-notes/2025-10-10-entity-locations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The extraction of location information for parameters, fields, constructors, destructors and user operators has been optimized. Previously, location information was extracted multiple times for each bound generic. Now, only the location of the unbound generic declaration is extracted during the extraction phase, and the QL library explicitly reuses this location for all bound instances of the same generic.
--- a/csharp/ql/lib/change-notes/released/5.2.6.md
+++ b/csharp/ql/lib/change-notes/released/5.2.6.md
@@ -0,0 +1,8 @@
+## 5.2.6
+
+### Minor Analysis Improvements
+
+* The extraction of location information for parameters, fields, constructors, destructors and user operators has been optimized. Previously, location information was extracted multiple times for each bound generic. Now, only the location of the unbound generic declaration is extracted during the extraction phase, and the QL library explicitly reuses this location for all bound instances of the same generic.
+* The extraction of location information for type parameters and tuples types has been optimized. Previously, location information was extracted multiple times for each type when it was declared across multiple files. Now, the extraction context is respected during the extraction phase, ensuring locations are only extracted within the appropriate context. This change should be transparent to end-users but may improve extraction performance in some cases.
+* The extraction of location information for named types (classes, structs, etc.) has been optimized. Previously, location information was extracted multiple times for each type when it was declared across multiple files. Now, the extraction context is respected during the extraction phase, ensuring locations are only extracted within the appropriate context. This change should be transparent to end-users but may improve extraction performance in some cases.
+* The extraction of the location for bound generic entities (methods, accessors, indexers, properties, and events) has been optimized. Previously, location information was extracted multiple times for each bound generic. Now, only the location of the unbound generic declaration is extracted during the extraction phase, and the QL library explicitly reuses this location for all bound instances of the same generic.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.2.5
+lastReleaseVersion: 5.2.6
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.2.6-dev
+version: 5.2.6
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.2
+
+No user-facing changes.
+
 ## 1.4.1

 ### Minor Analysis Improvements
--- a/csharp/ql/src/change-notes/released/1.4.2.md
+++ b/csharp/ql/src/change-notes/released/1.4.2.md
@@ -0,0 +1,3 @@
+## 1.4.2
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.1
+lastReleaseVersion: 1.4.2
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.4.2-dev
+version: 1.4.2
 groups:
  - csharp
  - queries
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.33
+
+No user-facing changes.
+
 ## 1.0.32

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.33.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.33.md
@@ -0,0 +1,3 @@
+## 1.0.33
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.32
+lastReleaseVersion: 1.0.33
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.33-dev
+version: 1.0.33
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,25 @@
+## 5.0.0
+
+### Breaking Changes
+
+* The member predicate `writesField` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate `writesFieldPreUpdate` has been added for cases where this behaviour is not desired.
+* The member predicate `writesElement` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing an array/slice/map literal. A new member predicate `writesElementPreUpdate` has been added for cases where this behaviour is not desired.
+
+### Deprecated APIs
+
+* The class `SqlInjection::NumericOrBooleanSanitizer` has been deprecated. Use `SimpleTypeSanitizer` from `semmle.go.security.Sanitizers` instead.
+* The member predicate `writesComponent` on `DataFlow::Write` has been deprecated. Instead, use `writesFieldPreUpdate` and `writesElementPreUpdate`, or their new versions `writesField` and `writesElement`.
+
+### Major Analysis Improvements
+
+* The shape of the Go data-flow graph has changed. Previously for code like `x := def(); use1(x); use2(x)`, there would be edges from the definition of `x` to each use. Now there is an edge from the definition to the first use, then another from the first use to the second, and so on. This means that data-flow barriers work differently - flow will not reach any uses after the barrier node. Where this is not desired it may be necessary to add an additional flow step to propagate the flow forward. Additionally, when a variable may be subject to a side-effect, such as updating an array, passing a pointer to a function that might write through it or writing to a field of a struct, there is now a dedicated post-update node representing the variable after this side-effect has taken place. Previously post-update nodes were aliases for either a variable's definition, or were equal to the pre-update node. This led to backwards steps in the data-flow graph, which could cause false positives. For example, in the previous code there would be an edge from `x` in `use2(x)` back to the definition of `x`. If we define our sources as any argument of `use2` and our sinks as any argument of `use1` then this would lead to a false positive path. Now there are distinct post-update nodes and no backwards edge to the definition, so we will not find this false positive path.
+
+### Minor Analysis Improvements
+
+* The query `go/request-forgery` will no longer report alerts when the user input is of a simple type, like a number or a boolean.
+* For the query `go/unvalidated-url-redirection`, when untrusted data is assigned to the `Host` field of a `url.URL` struct, we consider the whole struct untrusted. We now also include the case when this happens during struct initialization, for example `&url.URL{Host: untrustedData}`.
+* `go/unvalidated-url-redirection` and `go/request-forgery` have a shared notion of a safe URL, which is known to not be malicious. Some URLs which were incorrectly considered safe are now correctly considered unsafe. This may lead to more alerts for those two queries.
+
 ## 4.3.5

 No user-facing changes.
--- a/go/ql/lib/change-notes/2025-09-19-api-changes.md
+++ b/go/ql/lib/change-notes/2025-09-19-api-changes.md
@@ -1,5 +0,0 @@
---
-category: breaking
---
-* The member predicate `writesField` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate `writesFieldPreUpdate` has been added for cases where this behaviour is not desired.
-* The member predicate `writesElement` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing an array/slice/map literal. A new member predicate `writesElementPreUpdate` has been added for cases where this behaviour is not desired.
--- a/go/ql/lib/change-notes/2025-09-19-use-use-flow-proper-post-update-nodes.md
+++ b/go/ql/lib/change-notes/2025-09-19-use-use-flow-proper-post-update-nodes.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* The shape of the Go data-flow graph has changed. Previously for code like `x := def(); use1(x); use2(x)`, there would be edges from the definition of `x` to each use. Now there is an edge from the definition to the first use, then another from the first use to the second, and so on. This means that data-flow barriers work differently - flow will not reach any uses after the barrier node. Where this is not desired it may be be necessary to add an additional flow step to propagate the flow forward. Additionally, when a variable may be subject to a side-effect, such as updating an array, passing a pointer to a function that might write through it or writing to a field of a struct, there is now a dedicated post-update node representing the variable after this side-effect has taken place. Previously post-update nodes were aliases for either a variable's definition, or were equal to the pre-update node. This led to backwards steps in the data-flow graph, which could cause false positives. For example, in the previous code there would be an edge from `x` in `use2(x)` back to the definition of `x`. If we define our sources as any argument of `use2` and our sinks as any argument of `use1` then this would lead to a false positive path. Now there are distinct post-update nodes and no backwards edge to the definition, so we will not find this false positive path.
--- a/go/ql/lib/change-notes/2025-09-30-fewer-safe-urls.md
+++ b/go/ql/lib/change-notes/2025-09-30-fewer-safe-urls.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* `go/unvalidated-url-redirection` and `go/request-forgery` have a shared notion of a safe URL, which is known to not be malicious. Some URLs which were incorrectly considered safe are now correctly considered unsafe. This may lead to more alerts for those two queries.
--- a/go/ql/lib/change-notes/2025-10-02-unvalidated-url-redirection-struct-init-fix.md
+++ b/go/ql/lib/change-notes/2025-10-02-unvalidated-url-redirection-struct-init-fix.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* For the query `go/unvalidated-url-redirection`, when untrusted data is assigned to the `Host` field of a `url.URL` struct, we consider the whole struct untrusted. We now also include the case when this happens during struct initialization, for example `&url.URL{Host: untrustedData}`.
--- a/go/ql/lib/change-notes/2025-10-02-writenode-writescomponent-deprecated.md
+++ b/go/ql/lib/change-notes/2025-10-02-writenode-writescomponent-deprecated.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The member predicate `writesComponent` on `DataFlow::Write` has been deprecated. Instead, use `writesFieldPreUpdate` and `writesElementPreUpdate`, or their new versions `writesField` and `writesElement`.
--- a/go/ql/lib/change-notes/2025-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md
+++ b/go/ql/lib/change-notes/2025-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The class `SqlInjection::NumericOrBooleanSanitizer` has been deprecated. Use `SimpleTypeSanitizer` from `semmle.go.security.Sanitizers` instead.
--- a/go/ql/lib/change-notes/2025-10-09-sanitize-simple-types-request-forgery.md
+++ b/go/ql/lib/change-notes/2025-10-09-sanitize-simple-types-request-forgery.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The query `go/request-forgery` will no longer report alerts when the user input is of a simple type, like a number or a boolean.
--- a/go/ql/lib/change-notes/released/5.0.0.md
+++ b/go/ql/lib/change-notes/released/5.0.0.md
@@ -0,0 +1,21 @@
+## 5.0.0
+
+### Breaking Changes
+
+* The member predicate `writesField` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate `writesFieldPreUpdate` has been added for cases where this behaviour is not desired.
+* The member predicate `writesElement` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing an array/slice/map literal. A new member predicate `writesElementPreUpdate` has been added for cases where this behaviour is not desired.
+
+### Deprecated APIs
+
+* The class `SqlInjection::NumericOrBooleanSanitizer` has been deprecated. Use `SimpleTypeSanitizer` from `semmle.go.security.Sanitizers` instead.
+* The member predicate `writesComponent` on `DataFlow::Write` has been deprecated. Instead, use `writesFieldPreUpdate` and `writesElementPreUpdate`, or their new versions `writesField` and `writesElement`.
+
+### Major Analysis Improvements
+
+* The shape of the Go data-flow graph has changed. Previously for code like `x := def(); use1(x); use2(x)`, there would be edges from the definition of `x` to each use. Now there is an edge from the definition to the first use, then another from the first use to the second, and so on. This means that data-flow barriers work differently - flow will not reach any uses after the barrier node. Where this is not desired it may be necessary to add an additional flow step to propagate the flow forward. Additionally, when a variable may be subject to a side-effect, such as updating an array, passing a pointer to a function that might write through it or writing to a field of a struct, there is now a dedicated post-update node representing the variable after this side-effect has taken place. Previously post-update nodes were aliases for either a variable's definition, or were equal to the pre-update node. This led to backwards steps in the data-flow graph, which could cause false positives. For example, in the previous code there would be an edge from `x` in `use2(x)` back to the definition of `x`. If we define our sources as any argument of `use2` and our sinks as any argument of `use1` then this would lead to a false positive path. Now there are distinct post-update nodes and no backwards edge to the definition, so we will not find this false positive path.
+
+### Minor Analysis Improvements
+
+* The query `go/request-forgery` will no longer report alerts when the user input is of a simple type, like a number or a boolean.
+* For the query `go/unvalidated-url-redirection`, when untrusted data is assigned to the `Host` field of a `url.URL` struct, we consider the whole struct untrusted. We now also include the case when this happens during struct initialization, for example `&url.URL{Host: untrustedData}`.
+* `go/unvalidated-url-redirection` and `go/request-forgery` have a shared notion of a safe URL, which is known to not be malicious. Some URLs which were incorrectly considered safe are now correctly considered unsafe. This may lead to more alerts for those two queries.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.3.5
+lastReleaseVersion: 5.0.0
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 4.3.6-dev
+version: 5.0.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.7
+
+No user-facing changes.
+
 ## 1.4.6

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.4.7.md
+++ b/go/ql/src/change-notes/released/1.4.7.md
@@ -0,0 +1,3 @@
+## 1.4.7
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.6
+lastReleaseVersion: 1.4.7
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.4.7-dev
+version: 1.4.7
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 7.7.2
+
+### Minor Analysis Improvements
+
+* Fields of certain objects are considered tainted if the object is tainted. This holds, for example, for objects that occur directly as sources in the active threat model (for instance, a remote flow source). This has now been amended to also include array types, such that if an array like `MyPojo[]` is a source, then fields of a tainted `MyPojo` are now also considered tainted.
+
 ## 7.7.1

 No user-facing changes.
--- a/java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md
+++ b/java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 7.7.2
+
+### Minor Analysis Improvements
+
 * Fields of certain objects are considered tainted if the object is tainted. This holds, for example, for objects that occur directly as sources in the active threat model (for instance, a remote flow source). This has now been amended to also include array types, such that if an array like `MyPojo[]` is a source, then fields of a tainted `MyPojo` are now also considered tainted.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.7.1
+lastReleaseVersion: 7.7.2
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.7.2-dev
+version: 7.7.2
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.8.2
+
+No user-facing changes.
+
 ## 1.8.1

 No user-facing changes.
--- a/java/ql/src/change-notes/released/1.8.2.md
+++ b/java/ql/src/change-notes/released/1.8.2.md
@@ -0,0 +1,3 @@
+## 1.8.2
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.8.1
+lastReleaseVersion: 1.8.2
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.8.2-dev
+version: 1.8.2
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.6.13
+
+No user-facing changes.
+
 ## 2.6.12

 ### Minor Analysis Improvements
--- a/javascript/ql/lib/change-notes/released/2.6.13.md
+++ b/javascript/ql/lib/change-notes/released/2.6.13.md
@@ -0,0 +1,3 @@
+## 2.6.13
+
+No user-facing changes.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.12
+lastReleaseVersion: 2.6.13
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.13-dev
+version: 2.6.13
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.1.2
+
+No user-facing changes.
+
 ## 2.1.1

 No user-facing changes.
--- a/javascript/ql/src/change-notes/released/2.1.2.md
+++ b/javascript/ql/src/change-notes/released/2.1.2.md
@@ -0,0 +1,3 @@
+## 2.1.2
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.1.1
+lastReleaseVersion: 2.1.2
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.1.2-dev
+version: 2.1.2
 groups:
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.33
+
+No user-facing changes.
+
 ## 1.0.32

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/1.0.33.md
+++ b/misc/suite-helpers/change-notes/released/1.0.33.md
@@ -0,0 +1,3 @@
+## 1.0.33
+
+No user-facing changes.
--- a/misc/suite-helpers/codeql-pack.release.yml
+++ b/misc/suite-helpers/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.32
+lastReleaseVersion: 1.0.33
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.33-dev
+version: 1.0.33
 groups: shared
 warnOnImplicitThis: true
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 4.0.17
+
+### Bug Fixes
+
+* The Python extractor no longer crashes with an `ImportError` when run using Python 3.14.
+
 ## 4.0.16

 ### Minor Analysis Improvements
--- a/python/ql/lib/change-notes/2025-10-13-fix-importerror-on-python-3.14.md
+++ b/python/ql/lib/change-notes/2025-10-13-fix-importerror-on-python-3.14.md
@@ -1,4 +1,5 @@
---
-category: fix
---
+## 4.0.17
+
+### Bug Fixes
+
 * The Python extractor no longer crashes with an `ImportError` when run using Python 3.14.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.16
+lastReleaseVersion: 4.0.17
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 4.0.17-dev
+version: 4.0.17
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.6.7
+
+No user-facing changes.
+
 ## 1.6.6

 ### Minor Analysis Improvements
--- a/python/ql/src/change-notes/released/1.6.7.md
+++ b/python/ql/src/change-notes/released/1.6.7.md
@@ -0,0 +1,3 @@
+## 1.6.7
+
+No user-facing changes.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.6
+lastReleaseVersion: 1.6.7
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.6.7-dev
+version: 1.6.7
 groups:
  - python
  - queries
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 5.1.1
+
+No user-facing changes.
+
 ## 5.1.0

 ### New Features
--- a/ruby/ql/lib/change-notes/released/5.1.1.md
+++ b/ruby/ql/lib/change-notes/released/5.1.1.md
@@ -0,0 +1,3 @@
+## 5.1.1
+
+No user-facing changes.
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.0
+lastReleaseVersion: 5.1.1
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -51,7 +51,7 @@ module Kernel {

  /**
   * Holds if `method` is a name of a private method in the `Kernel` module.
-   * These can be be invoked on `self`, on `Kernel`, or using a low-level primitive like `send` or `instance_eval`.
+   * These can be invoked on `self`, on `Kernel`, or using a low-level primitive like `send` or `instance_eval`.
   * ```ruby
   * puts "hello world"
   * Kernel.puts "hello world"
--- a/ruby/ql/lib/qlpack.yml
+++ b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 5.1.1-dev
+version: 5.1.1
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
--- a/ruby/ql/src/CHANGELOG.md
+++ b/ruby/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.4.7
+
+No user-facing changes.
+
 ## 1.4.6

 No user-facing changes.
--- a/ruby/ql/src/change-notes/released/1.4.7.md
+++ b/ruby/ql/src/change-notes/released/1.4.7.md
@@ -0,0 +1,3 @@
+## 1.4.7
+
+No user-facing changes.
--- a/ruby/ql/src/codeql-pack.release.yml
+++ b/ruby/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.6
+lastReleaseVersion: 1.4.7
--- a/ruby/ql/src/qlpack.yml
+++ b/ruby/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 1.4.7-dev
+version: 1.4.7
 groups:
  - ruby
  - queries
--- a/rust/ql/lib/CHANGELOG.md
+++ b/rust/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.1.18
+
+### New Features
+
+* Rust analysis is now Generally Available (GA).
+
+### Minor Analysis Improvements
+
+* Improve data flow through functions being passed as function pointers. 
+
 ## 0.1.17

 ### New Features
--- a/rust/ql/lib/change-notes/2025-09-29-data-flow-function-pointer.md
+++ b/rust/ql/lib/change-notes/2025-09-29-data-flow-function-pointer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Improve data flow through functions being passed as function pointers. 
--- a/rust/ql/lib/change-notes/2025-10-07-rust-ga.md
+++ b/rust/ql/lib/change-notes/2025-10-07-rust-ga.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Rust analysis is now Generally Available (GA).
--- a/rust/ql/lib/change-notes/released/0.1.18.md
+++ b/rust/ql/lib/change-notes/released/0.1.18.md
@@ -0,0 +1,9 @@
+## 0.1.18
+
+### New Features
+
+* Rust analysis is now Generally Available (GA).
+
+### Minor Analysis Improvements
+
+* Improve data flow through functions being passed as function pointers. 
--- a/rust/ql/lib/codeql-pack.release.yml
+++ b/rust/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.17
+lastReleaseVersion: 0.1.18
--- a/rust/ql/lib/qlpack.yml
+++ b/rust/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/rust-all
-version: 0.1.18-dev
+version: 0.1.18
 groups: rust
 extractor: rust
 dbscheme: rust.dbscheme
--- a/Show More
+++ b/Show More