hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Release preparation for version 2.21.0

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-31 17:35:15 +00:00
parent c89c403e0e
commit 84f6564cc0
203 changed files with 562 additions and 309 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,35 @@
## 2.6.0
### New Features
* Extraction now supports regular expressions with the `v` flag, using the new operators:
- Intersection `&&`
- Subtraction `--`
- `\q` quoted string
### Major Analysis Improvements
* Added support for TypeScript 5.8.
### Minor Analysis Improvements
* Added support for additional `fs-extra` methods as sinks in path-injection queries.
* Added support for the newer version of `Hapi` with the `@hapi/hapi` import and `server` function.
* Improved modeling of the `node:fs` module: `await`-ed calls to `read` and `readFile` are now supported.
* Added support for the `@sap/hana-client`, `@sap/hdbext` and `hdb` packages.
* Enhanced `axios` support with new methods (`postForm`, `putForm`, `patchForm`, `getUri`, `create`) and added support for `interceptors.request` and `interceptors.response`.
* Improved support for `got` package with `Options`, `paginate()` and `extend()`
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.
* Added support for the `underscore.string` package.
* Added additional flow step for `unescape()` and `escape()`.
* Added support for the `@tanstack/vue-query` package.
* Added taint-steps for `unescape()`.
* Added support for the `@tanstack/angular-query-experimental` package.
* Improved support for the `@angular/common/http` package, detecting outgoing HTTP requests in more cases.
* Improved the modeling of the `markdown-table` package to ensure it handles nested arrays properly.
* Added support for the `react-relay` library.
## 2.5.1
No user-facing changes.

4
javascript/ql/lib/change-notes/2025-02-17-typescript-5-8.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* Added support for TypeScript 5.8.

4
javascript/ql/lib/change-notes/2025-02-25-react-relay.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `react-relay` library.

7
javascript/ql/lib/change-notes/2025-03-03-regex-v.md
View File

@@ -1,7 +0,0 @@
---
category: feature
---
* Extraction now supports regular expressions with the `v` flag, using the new operators:
- Intersection `&&`
- Subtraction `--`
- `\q` quoted string

4
javascript/ql/lib/change-notes/2025-03-10-js-refactor-markdown-table.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Improved the modeling of the `markdown-table` package to ensure it handles nested arrays properly.

5
javascript/ql/lib/change-notes/2025-03-11-tanstack-angular.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `@tanstack/angular-query-experimental` package.
* Improved support for the `@angular/common/http` package, detecting outgoing HTTP requests in more cases.

4
javascript/ql/lib/change-notes/2025-03-13-tanstack-vue.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `@tanstack/vue-query` package.

4
javascript/ql/lib/change-notes/2025-03-13-unescape.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added taint-steps for `unescape()`.

4
javascript/ql/lib/change-notes/2025-03-14-escape.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added additional flow step for `unescape()` and `escape()`.

4
javascript/ql/lib/change-notes/2025-03-17-underscore-string.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `underscore.string` package.

4
javascript/ql/lib/change-notes/2025-03-20-apollo-server.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.

4
javascript/ql/lib/change-notes/2025-03-20-superagent.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.

4
javascript/ql/lib/change-notes/2025-03-24-axios-additional-methods.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Enhanced `axios` support with new methods (`postForm`, `putForm`, `patchForm`, `getUri`, `create`) and added support for `interceptors.request` and `interceptors.response`.

4
javascript/ql/lib/change-notes/2025-03-24-got-package.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Improved support for `got` package with `Options`, `paginate()` and `extend()`

4
javascript/ql/lib/change-notes/2025-03-26-Hapi.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the newer version of `Hapi` with the `@hapi/hapi` import and `server` function.

4
javascript/ql/lib/change-notes/2025-03-26-async-fileRead.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Improved modeling of the `node:fs` module: `await`-ed calls to `read` and `readFile` are now supported.

4
javascript/ql/lib/change-notes/2025-03-26-hana-db-client.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `@sap/hana-client`, `@sap/hdbext` and `hdb` packages.

4
javascript/ql/lib/change-notes/2025-03-28-fs-extra.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for additional `fs-extra` methods as sinks in path-injection queries.

31
javascript/ql/lib/change-notes/released/2.6.0.md Normal file
View File

@@ -0,0 +1,31 @@
## 2.6.0
### New Features
* Extraction now supports regular expressions with the `v` flag, using the new operators:
- Intersection `&&`
- Subtraction `--`
- `\q` quoted string
### Major Analysis Improvements
* Added support for TypeScript 5.8.
### Minor Analysis Improvements
* Added support for additional `fs-extra` methods as sinks in path-injection queries.
* Added support for the newer version of `Hapi` with the `@hapi/hapi` import and `server` function.
* Improved modeling of the `node:fs` module: `await`-ed calls to `read` and `readFile` are now supported.
* Added support for the `@sap/hana-client`, `@sap/hdbext` and `hdb` packages.
* Enhanced `axios` support with new methods (`postForm`, `putForm`, `patchForm`, `getUri`, `create`) and added support for `interceptors.request` and `interceptors.response`.
* Improved support for `got` package with `Options`, `paginate()` and `extend()`
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.
* Added support for the `underscore.string` package.
* Added additional flow step for `unescape()` and `escape()`.
* Added support for the `@tanstack/vue-query` package.
* Added taint-steps for `unescape()`.
* Added support for the `@tanstack/angular-query-experimental` package.
* Improved support for the `@angular/common/http` package, detecting outgoing HTTP requests in more cases.
* Improved the modeling of the `markdown-table` package to ensure it handles nested arrays properly.
* Added support for the `react-relay` library.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.5.1
lastReleaseVersion: 2.6.0

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 2.5.2-dev
version: 2.6.0
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

14
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,17 @@
## 1.5.2
### Bug Fixes
* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
attribute is once again functioning as a sink for the `js/xss` query.
* Fixed a bug that would in rare cases cause some regexp-based checks
to be seen as generic taint sanitisers, even though the underlying regexp
is not restrictive enough. The regexps are now analysed more precisely,
and unrestrictive regexp checks will no longer block taint flow.
* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
## 1.5.1
No user-facing changes.

5
javascript/ql/src/change-notes/2025-02-21-test-suite.md
View File

@@ -1,5 +0,0 @@
---
category: fix
---
* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.

7
javascript/ql/src/change-notes/2025-02-28-membership-regexp-test.md
View File

@@ -1,7 +0,0 @@
---
category: fix
---
* Fixed a bug that would in rare cases cause some regexp-based checks
to be seen as generic taint sanitisers, even though the underlying regexp
is not restrictive enough. The regexps are now analysed more precisely,
and unrestrictive regexp checks will no longer block taint flow.

6
javascript/ql/src/change-notes/2025-03-11-vue-fix.md
View File

@@ -1,6 +0,0 @@
---
category: fix
---
* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
attribute is once again functioning as a sink for the `js/xss` query.

13
javascript/ql/src/change-notes/released/1.5.2.md Normal file
View File

@@ -0,0 +1,13 @@
## 1.5.2
### Bug Fixes
* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
attribute is once again functioning as a sink for the `js/xss` query.
* Fixed a bug that would in rare cases cause some regexp-based checks
to be seen as generic taint sanitisers, even though the underlying regexp
is not restrictive enough. The regexps are now analysed more precisely,
and unrestrictive regexp checks will no longer block taint flow.
* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.5.1
lastReleaseVersion: 1.5.2

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 1.5.2-dev
version: 1.5.2
groups:
- javascript
- queries