Release preparation for version 2.25.5

2026-05-25 00:27:09 +02:00 · 2026-05-18 12:05:32 +00:00
parent e55edf2f1f
commit e38616a2ef
167 changed files with 410 additions and 115 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 9.1.1
+
+### Minor Analysis Improvements
+
+* Introduced a new sink kind `path-injection[read]` for Models-as-Data rows that only read from a path (such as `ClassLoader.getResource`, `FileInputStream`, `FileReader`, `Files.readAllBytes`, and related APIs). The general `java/path-injection` query continues to consider both `path-injection` and `path-injection[read]` sinks.
+
 ## 9.1.0

 ### New Features
--- a/java/ql/lib/change-notes/2026-04-21-path-injection-read-subkind.md
+++ b/java/ql/lib/change-notes/2026-04-21-path-injection-read-subkind.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 9.1.1
+
+### Minor Analysis Improvements
+
 * Introduced a new sink kind `path-injection[read]` for Models-as-Data rows that only read from a path (such as `ClassLoader.getResource`, `FileInputStream`, `FileReader`, `Files.readAllBytes`, and related APIs). The general `java/path-injection` query continues to consider both `path-injection` and `path-injection[read]` sinks.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.1.0
+lastReleaseVersion: 9.1.1
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.1.1-dev
+version: 9.1.1
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.11.3
+
+### Minor Analysis Improvements
+
+* The `java/zipslip` query no longer reports archive entry names that flow only to read-only path sinks such as `ClassLoader.getResource`, `FileInputStream`, and `FileReader`. The query now restricts its sinks to the `path-injection` kind and deliberately excludes the new `path-injection[read]` sub-kind, matching the Zip Slip threat model of unsafe archive extraction.
+
 ## 1.11.2

 No user-facing changes.
--- a/java/ql/src/change-notes/2026-04-21-zipslip-exclude-read-sinks.md
+++ b/java/ql/src/change-notes/2026-04-21-zipslip-exclude-read-sinks.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 1.11.3
+
+### Minor Analysis Improvements
+
 * The `java/zipslip` query no longer reports archive entry names that flow only to read-only path sinks such as `ClassLoader.getResource`, `FileInputStream`, and `FileReader`. The query now restricts its sinks to the `path-injection` kind and deliberately excludes the new `path-injection[read]` sub-kind, matching the Zip Slip threat model of unsafe archive extraction.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.11.2
+lastReleaseVersion: 1.11.3
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.3-dev
+version: 1.11.3
 groups:
  - java
  - queries