Release preparation for version 2.22.2

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 2.6.7
+
+### Minor Analysis Improvements
+
+* Enhanced modeling for the `execa` library, adding support for command execution methods `execaCommand`, `execaCommandSync`, `$`, and `$.sync`, as well as file system operations through `inputFile`, `pipeStdout`, `pipeAll`, and `pipeStderr`.
+
+### Bug Fixes
+
+* The JavaScript extractor no longer ignores source files specified in the `tsconfig.json` compiler options `outDir` if doing so would result in excluding all source code.
+
 ## 2.6.6
 
 ### Minor Analysis Improvements

javascript/ql/lib/change-notes/2025-07-11-ignore-outdirs-that-would-exclude-everything.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* The JavaScript extractor no longer ignores source files specified in the `tsconfig.json` compiler options `outDir` if doing so would result in excluding all source code.

javascript/ql/lib/change-notes/released/2.6.7.md

@@ -1,4 +1,9 @@
----
-category: minorAnalysis
----
+## 2.6.7
+
+### Minor Analysis Improvements
+
 * Enhanced modeling for the `execa` library, adding support for command execution methods `execaCommand`, `execaCommandSync`, `$`, and `$.sync`, as well as file system operations through `inputFile`, `pipeStdout`, `pipeAll`, and `pipeStderr`.
+
+### Bug Fixes
+
+* The JavaScript extractor no longer ignores source files specified in the `tsconfig.json` compiler options `outDir` if doing so would result in excluding all source code.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.6
+lastReleaseVersion: 2.6.7

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.7-dev
+version: 2.6.7
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 2.0.0
+
+### Breaking Changes
+
+* The `Type` and `Symbol` classes have been deprecated and will be empty in newly extracted databases, since the TypeScript extractor no longer populates them.
+  This is a breaking change for custom queries that explicitly relied on these classes.
+  Such queries will still compile, but with deprecation warnings, and may have different query results due to type information no longer being available.
+  We expect most custom queries will not be affected, however. If a custom query has no deprecation warnings, it should not be affected by this change.
+  Uses of `getType()` should be rewritten to use the new `getTypeBinding()` or `getNameBinding()` APIs instead.
+  If the new API is not sufficient, please consider opening an issue in `github/codeql` describing your use-case.
+
+### Major Analysis Improvements
+
+* The TypeScript extractor no longer relies on the TypeScript compiler for extracting type information.
+  Instead, the information we need from types is now derived by an algorithm written in QL.
+  This results in more robust extraction with faster extraction times, in some cases significantly faster.
+* Taint is now tracked through the React `use` function.
+* Parameters of React server functions, marked with the `"use server"` directive, are now seen as taint sources.
+
+### Minor Analysis Improvements
+
+* Removed three queries from the JS qlpack, which have been superseded by newer queries that are part of the Actions qlpack:
+  * `js/actions/pull-request-target` has been superseded by `actions/untrusted-checkout/{medium,high,critical}`
+  * `js/actions/actions-artifact-leak` has been superseded by `actions/secrets-in-artifacts`
+  * `js/actions/command-injection` has been superseded by `actions/command-injection/{medium,critical}`
+
 ## 1.7.0
 
 ### Query Metadata Changes

javascript/ql/src/change-notes/2025-06-23-react-use-server.md

@@ -1,5 +0,0 @@
----
-category: majorAnalysis
----
-* Taint is now tracked through the React `use` function.
-* Parameters of React server functions, marked with the `"use server"` directive, are now seen as taint sources.

javascript/ql/src/change-notes/2025-06-23-remove-legacy-actions-queries.md

@@ -1,7 +0,0 @@
----
-category: minorAnalysis
----
-* Removed three queries from the JS qlpack, which have been superseded by newer queries that are part of the Actions qlpack:
-  * `js/actions/pull-request-target` has been superseded by `actions/untrusted-checkout/{medium,high,critical}`
-  * `js/actions/actions-artifact-leak` has been superseded by `actions/secrets-in-artifacts`
-  * `js/actions/command-injection` has been superseded by `actions/command-injection/{medium,critical}`

javascript/ql/src/change-notes/2025-06-24-no-type-extraction-breaking.md

@@ -1,9 +0,0 @@
----
-category: breaking
----
-* The `Type` and `Symbol` classes have been deprecated and will be empty in newly extracted databases, since the TypeScript extractor no longer populates them.
-  This is a breaking change for custom queries that explicitly relied on these classes.
-  Such queries will still compile, but with deprecation warnings, and may have different query results due to type information no longer being available.
-  We expect most custom queries will not be affected, however. If a custom query has no deprecation warnings, it should not be affected by this change.
-  Uses of `getType()` should be rewritten to use the new `getTypeBinding()` or `getNameBinding()` APIs instead.
-  If the new API is not sufficient, please consider opening an issue in `github/codeql` describing your use-case.

javascript/ql/src/change-notes/2025-06-24-no-type-extraction.md

@@ -1,6 +0,0 @@
----
-category: majorAnalysis
----
-* The TypeScript extractor no longer relies on the TypeScript compiler for extracting type information.
-  Instead, the information we need from types is now derived by an algorithm written in QL.
-  This results in more robust extraction with faster extraction times, in some cases significantly faster.

javascript/ql/src/change-notes/released/2.0.0.md

@@ -0,0 +1,25 @@
+## 2.0.0
+
+### Breaking Changes
+
+* The `Type` and `Symbol` classes have been deprecated and will be empty in newly extracted databases, since the TypeScript extractor no longer populates them.
+  This is a breaking change for custom queries that explicitly relied on these classes.
+  Such queries will still compile, but with deprecation warnings, and may have different query results due to type information no longer being available.
+  We expect most custom queries will not be affected, however. If a custom query has no deprecation warnings, it should not be affected by this change.
+  Uses of `getType()` should be rewritten to use the new `getTypeBinding()` or `getNameBinding()` APIs instead.
+  If the new API is not sufficient, please consider opening an issue in `github/codeql` describing your use-case.
+
+### Major Analysis Improvements
+
+* The TypeScript extractor no longer relies on the TypeScript compiler for extracting type information.
+  Instead, the information we need from types is now derived by an algorithm written in QL.
+  This results in more robust extraction with faster extraction times, in some cases significantly faster.
+* Taint is now tracked through the React `use` function.
+* Parameters of React server functions, marked with the `"use server"` directive, are now seen as taint sources.
+
+### Minor Analysis Improvements
+
+* Removed three queries from the JS qlpack, which have been superseded by newer queries that are part of the Actions qlpack:
+  * `js/actions/pull-request-target` has been superseded by `actions/untrusted-checkout/{medium,high,critical}`
+  * `js/actions/actions-artifact-leak` has been superseded by `actions/secrets-in-artifacts`
+  * `js/actions/command-injection` has been superseded by `actions/command-injection/{medium,critical}`

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.0
+lastReleaseVersion: 2.0.0

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 1.7.1-dev
+version: 2.0.0
 groups:
   - javascript
   - queries