Merge pull request #21189 from github/release-prep/2.24.0

Release preparation for version 2.24.0

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.26
+
+### Major Analysis Improvements
+
+* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
+
 ## 0.4.25
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.26.md

@@ -1,4 +1,5 @@
----
-category: majorAnalysis
----
+## 0.4.26
+
+### Major Analysis Improvements
+
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.25
+lastReleaseVersion: 0.4.26

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.26-dev
+version: 0.4.26
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.18
+
+No user-facing changes.
+
 ## 0.6.17
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.18.md

@@ -0,0 +1,3 @@
+## 0.6.18
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.17
+lastReleaseVersion: 0.6.18

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.18-dev
+version: 0.6.18
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,27 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
+
 ## 6.1.4
 
 No user-facing changes.

cpp/ql/lib/change-notes/2026-01-02-constant-folding.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.

cpp/ql/lib/change-notes/2026-01-02-decimal-removal.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.

cpp/ql/lib/change-notes/2026-01-08-multidimensional-subscript-operator-1.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.

cpp/ql/lib/change-notes/2026-01-08-multidimensional-subscript-operator-2.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.

cpp/ql/lib/change-notes/2026-01-09-builtins.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.

cpp/ql/lib/change-notes/2026-01-09-this-access.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.

cpp/ql/lib/change-notes/2026-01-16-barrier-guard-conflation.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.

cpp/ql/lib/change-notes/released/7.0.0.md

@@ -0,0 +1,23 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.4
+lastReleaseVersion: 7.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.1.5-dev
+version: 7.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.5.9
+
+### Minor Analysis Improvements
+
+* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
+
 ## 1.5.8
 
 No user-facing changes.

cpp/ql/src/change-notes/released/1.5.9.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.5.9
+
+### Minor Analysis Improvements
+
 * The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.9

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.9-dev
+version: 1.5.9
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.57
+
+No user-facing changes.
+
 ## 1.7.56
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.57.md

@@ -0,0 +1,3 @@
+## 1.7.57
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.57

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.57-dev
+version: 1.7.57
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.57
+
+No user-facing changes.
+
 ## 1.7.56
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.57.md

@@ -0,0 +1,3 @@
+## 1.7.57
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.57

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.57-dev
+version: 1.7.57
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 5.4.5
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
+* Updated the generated .NET “models as data” runtime models to cover .NET 10.
+* C# 14: Support for *implicit* span conversions in the QL library.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
+* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
+
+### Bug Fixes
+
+* Fixed two issues affecting build mode `none`:
+  * Corrected version sorting logic when detecting the newest .NET framework to use.
+  * Improved stability for .NET 10 compatibility.
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
+
 ## 5.4.4
 
 No user-facing changes.

csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.

csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.

csharp/ql/lib/change-notes/2025-12-04-bmn-dotnet-fixes.md

@@ -1,6 +0,0 @@
----
-category: fix
----
-* Fixed two issues affecting build mode `none`:
-  * Corrected version sorting logic when detecting the newest .NET framework to use.
-  * Improved stability for .NET 10 compatibility.

csharp/ql/lib/change-notes/2025-12-09-bmn-default-dotnet.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.

csharp/ql/lib/change-notes/2025-12-11-net10-basic-support.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.

csharp/ql/lib/change-notes/2025-12-11-slnx-support.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added autobuilder and `build-mode: none` support for `.slnx` solution files.

csharp/ql/lib/change-notes/2025-12-18-implicit-span-conversions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 14: Support for *implicit* span conversions in the QL library.

csharp/ql/lib/change-notes/2026-01-05-net-runtime-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Updated the generated .NET “models as data” runtime models to cover .NET 10.

csharp/ql/lib/change-notes/2026-01-06-paths-directives-ancillary-data.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.

csharp/ql/lib/change-notes/released/5.4.5.md

@@ -0,0 +1,18 @@
+## 5.4.5
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
+* Updated the generated .NET “models as data” runtime models to cover .NET 10.
+* C# 14: Support for *implicit* span conversions in the QL library.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
+* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
+
+### Bug Fixes
+
+* Fixed two issues affecting build mode `none`:
+  * Corrected version sorting logic when detecting the newest .NET framework to use.
+  * Improved stability for .NET 10 compatibility.
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.4
+lastReleaseVersion: 5.4.5

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.5-dev
+version: 5.4.5
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.
+
+### Minor Analysis Improvements
+
+* Added `NHibernate.ISession.CreateSQLQuery`, `NHibernate.IStatelessSession.CreateSQLQuery` and `NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks.
+* The `Missing cross-site request forgery token validation` query was extended to support ASP.NET Core.
+
 ## 1.5.4
 
 No user-facing changes.

csharp/ql/src/change-notes/2025-12-08-csrf-aspnetcore.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `Missing cross-site request forgery token validation` query was extended to support ASP.NET Core.

csharp/ql/src/change-notes/2025-12-11-nhibernate-sql-sinks.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added `NHibernate.ISession.CreateSQLQuery`, `NHibernate.IStatelessSession.CreateSQLQuery` and `NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks.

csharp/ql/src/change-notes/2025-12-16-path-combine-metadata.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.

csharp/ql/src/change-notes/released/1.6.0.md

@@ -0,0 +1,10 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.
+
+### Minor Analysis Improvements
+
+* Added `NHibernate.ISession.CreateSQLQuery`, `NHibernate.IStatelessSession.CreateSQLQuery` and `NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks.
+* The `Missing cross-site request forgery token validation` query was extended to support ASP.NET Core.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.4
+lastReleaseVersion: 1.6.0

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.5.5-dev
+version: 1.6.0
 groups:
   - csharp
   - queries

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.40
+
+No user-facing changes.
+
 ## 1.0.39
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.40.md

@@ -0,0 +1,3 @@
+## 1.0.40
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.39
+lastReleaseVersion: 1.0.40

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.40-dev
+version: 1.0.40
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The query `go/unexpected-frontend-error` has been moved from the `codeql/go-queries` query to the `codeql-go-consistency-queries` query pack.
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Go extractor's search for `.vue` and HTML files.
+
 ## 5.0.6
 
 No user-facing changes.

go/ql/lib/change-notes/2025-11-26-unexpected-frontend-errors-query-moved.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The query `go/unexpected-frontend-error` has been moved from the `codeql/go-queries` query to the `codeql-go-consistency-queries` query pack.

go/ql/lib/change-notes/2026-01-06-paths-directives-ancillary-data.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Go extractor's search for `.vue` and HTML files.

go/ql/lib/change-notes/released/6.0.0.md

@@ -0,0 +1,9 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The query `go/unexpected-frontend-error` has been moved from the `codeql/go-queries` query to the `codeql-go-consistency-queries` query pack.
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Go extractor's search for `.vue` and HTML files.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.0.6
+lastReleaseVersion: 6.0.0

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 5.0.7-dev
+version: 6.0.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.5.4
+
+No user-facing changes.
+
 ## 1.5.3
 
 No user-facing changes.

go/ql/src/change-notes/released/1.5.4.md

@@ -0,0 +1,3 @@
+## 1.5.4
+
+No user-facing changes.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.3
+lastReleaseVersion: 1.5.4

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.5.4-dev
+version: 1.5.4
 groups:
   - go
   - queries

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 7.8.4
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.
+* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 
+* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.
+* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.
+
 ## 7.8.3
 
 No user-facing changes.

java/ql/lib/change-notes/2024-09-24-multipart.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.

java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.

java/ql/lib/change-notes/2025-12-02-improve-regex-sanitizer.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.

java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 

java/ql/lib/change-notes/2025-12-16-java-xml-paths.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.

java/ql/lib/change-notes/released/7.8.4.md

@@ -0,0 +1,9 @@
+## 7.8.4
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.
+* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 
+* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.
+* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.8.3
+lastReleaseVersion: 7.8.4

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.8.4-dev
+version: 7.8.4
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.10.5
+
+### Minor Analysis Improvements
+
+* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Credentials queries.
+* Java thread safety analysis now understands initialization to thread safe classes inside constructors.
+
 ## 1.10.4
 
 No user-facing changes.

java/ql/src/change-notes/2025-11-25-thread-safe-initializers.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Java thread safety analysis now understands initialization to thread safe classes inside constructors.

java/ql/src/change-notes/2025-12-24-couchbase-sinks.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.

java/ql/src/change-notes/released/1.10.5.md

@@ -0,0 +1,6 @@
+## 1.10.5
+
+### Minor Analysis Improvements
+
+* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Credentials queries.
+* Java thread safety analysis now understands initialization to thread safe classes inside constructors.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.10.4
+lastReleaseVersion: 1.10.5

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.10.5-dev
+version: 1.10.5
 groups:
   - java
   - queries

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 2.6.20
+
+### Minor Analysis Improvements
+
+* Support `use cache` directives for Next.js 16.
+* Added `PreCallGraphStep` flow model for React's `useRef` hook.
+* Added a `DomValueSource` that uses the `current` property off the object returned by React's `useRef` hook.
+
 ## 2.6.19
 
 No user-facing changes.

javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Added `PreCallGraphStep` flow model for React's `useRef` hook.
-* Added a `DomValueSource` that uses the `current` property off the object returned by React's `useRef` hook.

javascript/ql/lib/change-notes/2025-11-30-use-cache-directives.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-
-- Support `use cache` directives for Next.js 16.

javascript/ql/lib/change-notes/released/2.6.20.md

@@ -0,0 +1,7 @@
+## 2.6.20
+
+### Minor Analysis Improvements
+
+* Support `use cache` directives for Next.js 16.
+* Added `PreCallGraphStep` flow model for React's `useRef` hook.
+* Added a `DomValueSource` that uses the `current` property off the object returned by React's `useRef` hook.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.19
+lastReleaseVersion: 2.6.20

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.20-dev
+version: 2.6.20
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 2.3.0
+
+### Major Analysis Improvements
+
+* JavaScript files with an average line length greater than 200 are now considered minified and will no longer be analyzed.
+  For use-cases where minified files should be analyzed, the original behavior can be restored by setting the environment variable
+  `CODEQL_EXTRACTOR_JAVASCRIPT_ALLOW_MINIFIED_FILES=true`.
+
+### Minor Analysis Improvements
+
+* The model of `vue-router` now properly detects taint sources in cases where
+  the `props` property is a callback.
+* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in files
+  named `route` or `page` appearing outside `api` and `pages` folders.
+* `new Response(x)` is no longer seen as a reflected XSS sink when no `content-type` header
+  is set, since the content type defaults to `text/plain`.
+
 ## 2.2.4
 
 No user-facing changes.

javascript/ql/src/change-notes/2025-11-26-nextjs-page-route-files.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in files
-  named `route` or `page` appearing outside `api` and `pages` folders.

javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* `new Response(x)` is no longer seen as a reflected XSS sink when no `content-type` header
-  is set, since the content type defaults to `text/plain`.

javascript/ql/src/change-notes/2025-12-05-skip-minified-files.md

@@ -1,6 +0,0 @@
----
-category: majorAnalysis
----
-* JavaScript files with an average line length greater than 200 are now considered minified and will no longer be analyzed.
-  For use-cases where minified files should be analyzed, the original behavior can be restored by setting the environment variable
-  `CODEQL_EXTRACTOR_JAVASCRIPT_ALLOW_MINIFIED_FILES=true`.

javascript/ql/src/change-notes/2026-01-13-vue-props-callbacks.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* The model of `vue-router` now properly detects taint sources in cases where
-  the `props` property is a callback.

javascript/ql/src/change-notes/released/2.3.0.md

@@ -0,0 +1,16 @@
+## 2.3.0
+
+### Major Analysis Improvements
+
+* JavaScript files with an average line length greater than 200 are now considered minified and will no longer be analyzed.
+  For use-cases where minified files should be analyzed, the original behavior can be restored by setting the environment variable
+  `CODEQL_EXTRACTOR_JAVASCRIPT_ALLOW_MINIFIED_FILES=true`.
+
+### Minor Analysis Improvements
+
+* The model of `vue-router` now properly detects taint sources in cases where
+  the `props` property is a callback.
+* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in files
+  named `route` or `page` appearing outside `api` and `pages` folders.
+* `new Response(x)` is no longer seen as a reflected XSS sink when no `content-type` header
+  is set, since the content type defaults to `text/plain`.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.2.4
+lastReleaseVersion: 2.3.0

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.2.5-dev
+version: 2.3.0
 groups:
   - javascript
   - queries

misc/suite-helpers/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.40
+
+No user-facing changes.
+
 ## 1.0.39
 
 No user-facing changes.

misc/suite-helpers/change-notes/released/1.0.40.md

@@ -0,0 +1,3 @@
+## 1.0.40
+
+No user-facing changes.

misc/suite-helpers/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.39
+lastReleaseVersion: 1.0.40

misc/suite-helpers/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.40-dev
+version: 1.0.40
 groups: shared
 warnOnImplicitThis: true

python/ql/lib/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 6.0.0
+
+### Breaking Changes
+
+* All modules that depend on the points-to analysis have now been removed from the top level `python.qll` module. To access the points-to functionality, import the new `LegacyPointsTo` module. This also means that some predicates have been removed from various classes, for instance `Function.getFunctionObject()`. To access these predicates, import the `LegacyPointsTo` module and use the `FunctionWithPointsTo` class instead. Most cases follow this pattern, but there are a few exceptions:
+  * The `getLiteralObject` method on `ImmutableLiteral` subclasses has been replaced with a predicate `getLiteralObject(ImmutableLiteral l)` in the `LegacyPointsTo` module.
+  * The `getMetrics` method on `Function`, `Class`, and `Module` has been removed. To access metrics, import `LegacyPointsTo` and use the classes `FunctionMetrics`, etc. instead.
+
+### New Features
+
+* The extractor now supports the new, relaxed syntax `except A, B, C: ...` (which would previously have to be written as `except (A, B, C): ...`) as defined in [PEP-758](https://peps.python.org/pep-0758/). This may cause changes in results for code that uses Python 2-style exception binding (`except Foo, e: ...`). The more modern format, `except Foo as e: ...` (available since Python 2.6) is unaffected.
+* The Python extractor now supports template strings as defined in [PEP-750](https://peps.python.org/pep-0750/), through the classes `TemplateString` and `JoinedTemplateString`.
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Python extractor's search for YAML files.
+* The `compression.zstd` library (added in Python 3.14) is now supported by the `py/decompression-bomb` query.
+* Added taint flow model and type model for `urllib.parseurl`.
+* Remote flow sources for the `python-socketio` package have been modeled.
+* Additional models for remote flow sources for `tornado.websocket.WebSocketHandler` have been added.
+
 ## 5.0.4
 
 No user-facing changes.

python/ql/lib/change-notes/2025-11-22-tornado-websockets.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Additional models for remote flow sources for `tornado.websocket.WebSocketHandler` have been added.