Release preparation for version 2.21.1

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 2.6.1
+
+### Minor Analysis Improvements
+
+* Data passed to the [NextResponse](https://nextjs.org/docs/app/api-reference/functions/next-response) constructor is now treated as a sink for `js/reflected-xss`.
+* Data received from [NextRequest](https://nextjs.org/docs/app/api-reference/functions/next-request) and [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) is now treated as a remote user input `source`.
+* Added support for the `make-dir` package.
+* Added support for the `open` package.
+* Added taint propagation for `Uint8Array`, `ArrayBuffer`, `SharedArrayBuffer` and `TextDecoder.decode()`.
+* Improved detection of `WebSocket` and `SockJS` usage.
+* Added data received from `WebSocket` clients as a remote flow source.
+* Added support for additional `mkdirp` methods as sinks in path-injection queries.
+* Added support for additional `rimraf` methods as sinks in path-injection queries.
+
 ## 2.6.0
 
 ### New Features

javascript/ql/lib/change-notes/2025-04-02-mkdirp.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for additional `mkdirp` methods as sinks in path-injection queries.

javascript/ql/lib/change-notes/2025-04-02-rimraf.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for additional `rimraf` methods as sinks in path-injection queries.

javascript/ql/lib/change-notes/2025-04-07-open-package.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for the `open` package.

javascript/ql/lib/change-notes/2025-04-07-typed-arrays.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added taint propagation for `Uint8Array`, `ArrayBuffer`, `SharedArrayBuffer` and `TextDecoder.decode()`.

javascript/ql/lib/change-notes/2025-04-07-websocket.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Improved detection of `WebSocket` and `SockJS` usage.
-* Added data received from `WebSocket` clients as a remote flow source.

javascript/ql/lib/change-notes/2025-04-09-make-dir.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for the `make-dir` package.

javascript/ql/lib/change-notes/2025-04-11-nextrequest.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Data passed to the [NextResponse](https://nextjs.org/docs/app/api-reference/functions/next-response) constructor is now treated as a sink for `js/reflected-xss`.
-* Data received from [NextRequest](https://nextjs.org/docs/app/api-reference/functions/next-request) and [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) is now treated as a remote user input `source`.

javascript/ql/lib/change-notes/released/2.6.1.md

@@ -0,0 +1,13 @@
+## 2.6.1
+
+### Minor Analysis Improvements
+
+* Data passed to the [NextResponse](https://nextjs.org/docs/app/api-reference/functions/next-response) constructor is now treated as a sink for `js/reflected-xss`.
+* Data received from [NextRequest](https://nextjs.org/docs/app/api-reference/functions/next-request) and [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) is now treated as a remote user input `source`.
+* Added support for the `make-dir` package.
+* Added support for the `open` package.
+* Added taint propagation for `Uint8Array`, `ArrayBuffer`, `SharedArrayBuffer` and `TextDecoder.decode()`.
+* Improved detection of `WebSocket` and `SockJS` usage.
+* Added data received from `WebSocket` clients as a remote flow source.
+* Added support for additional `mkdirp` methods as sinks in path-injection queries.
+* Added support for additional `rimraf` methods as sinks in path-injection queries.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.0
+lastReleaseVersion: 2.6.1

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.1-dev
+version: 2.6.1
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript