Applied comment

Co-authored-by: Asgerf <asgerf@github.com>

docs/codeql/reusables/supported-frameworks.rst

@@ -181,7 +181,6 @@ and the CodeQL library pack ``codeql/javascript-all`` (`changelog <https://githu
    swig, templating language
    underscore, Utility library
    vue, HTML framework
-   tanstack, Utility library
 
 
 Python built-in support

javascript/ql/lib/change-notes/2025-02-21-tanstack.md

@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Added Library modeling for the `useQuery` hook from `@tanstack/react-query`.
+* Added support for the `useQuery` hook from `@tanstack/react-query`.

javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll

@@ -878,7 +878,7 @@ module ClientRequest {
    * An additional taint step that captures taint propagation from the receiver of fetch response methods
    * (such as "json", "text", "blob", and "arrayBuffer") to the call result.
    */
-  class FetchResponseStep extends TaintTracking::AdditionalTaintStep {
+  private class FetchResponseStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
       exists(DataFlow::MethodCallNode call |
         call.getMethodName() in ["json", "text", "blob", "arrayBuffer"] and

javascript/ql/lib/semmle/javascript/frameworks/Fetch.qll

@@ -1,19 +0,0 @@
-/**
- * Provides an additional flow step that propagates data from the receiver of fetch response methods.
- */
-
-private import javascript
-
-/**
- * An additional flow step that propagates data from the receiver of fetch response methods
- * (like "json", "text", "blob", and "arrayBuffer") to the call result.
- */
-class Fetch extends DataFlow::AdditionalFlowStep {
-  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(DataFlow::MethodCallNode call |
-      call.getMethodName() in ["json", "text", "blob", "arrayBuffer"] and
-      node1 = call.getReceiver() and
-      node2 = call
-    )
-  }
-}

javascript/ql/lib/semmle/javascript/frameworks/Tanstack.qll

@@ -8,7 +8,7 @@ private import javascript
  * An additional flow step that propagates data from the return value of the query function,
  * defined in a useQuery call from the '@tanstack/react-query' module, to the 'data' property.
  */
-class TanstackStep extends DataFlow::AdditionalFlowStep {
+private class TanstackStep extends DataFlow::AdditionalFlowStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     exists(API::CallNode useQuery |
       useQuery = useQueryCall() and
@@ -21,6 +21,6 @@ class TanstackStep extends DataFlow::AdditionalFlowStep {
 /**
  * Retrieves a call node representing a useQuery invocation from the '@tanstack/react-query' module.
  */
-API::CallNode useQueryCall() {
+private API::CallNode useQueryCall() {
   result = API::moduleImport("@tanstack/react-query").getMember("useQuery").getACall()
 }

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/wrapper.js

@@ -1,2 +1,2 @@
 import { useQuery } from "@tanstack/react-query";
-export { useQuery}
+export { useQuery }