Only use reachable feeds when private registries are configured

Check reachability of inherited feeds
Divide up CheckSpecifiedFeeds
2026-06-03 04:40:14 +02:00 · 2026-02-27 14:38:01 +00:00 · 2026-02-27 14:32:01 +00:00 · 2026-02-27 14:30:57 +00:00 · 2026-02-27 14:25:58 +00:00 · 2026-02-27 14:24:55 +00:00
178 changed files with 246 additions and 630 deletions
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.4.29
-
-No user-facing changes.
-
 ## 0.4.28

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.29.md
+++ b/actions/ql/lib/change-notes/released/0.4.29.md
@@ -1,3 +0,0 @@
-## 0.4.29
-
-No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.29
+lastReleaseVersion: 0.4.28
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.30-dev
+version: 0.4.29-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.6.21
-
-No user-facing changes.
-
 ## 0.6.20

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.21.md
+++ b/actions/ql/src/change-notes/released/0.6.21.md
@@ -1,3 +0,0 @@
-## 0.6.21
-
-No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.21
+lastReleaseVersion: 0.6.20
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.22-dev
+version: 0.6.21-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,18 +1,3 @@
-## 8.0.0
-
-### Breaking Changes
-
-* CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to `BarrierGuard<...>::getAnIndirectBarrierNode` and `InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
-* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.
-
-### Minor Analysis Improvements
-
-* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
-
-### Bug Fixes
-
-* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.
-
 ## 7.1.1

 ### Minor Analysis Improvements
--- a/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md
+++ b/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
--- a/cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md
+++ b/cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.
--- a/cpp/ql/lib/change-notes/2026-02-14-must-flow.md
+++ b/cpp/ql/lib/change-notes/2026-02-14-must-flow.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.
--- a/cpp/ql/lib/change-notes/2026-02-24-barrier-guards.md
+++ b/cpp/ql/lib/change-notes/2026-02-24-barrier-guards.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* CodeQL version 2.24.2 accidentially introduced a syntactical breaking change to `BarrierGuard<...>::getAnIndirectBarrierNode` and `InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
--- a/cpp/ql/lib/change-notes/released/8.0.0.md
+++ b/cpp/ql/lib/change-notes/released/8.0.0.md
@@ -1,14 +0,0 @@
-## 8.0.0
-
-### Breaking Changes
-
-* CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to `BarrierGuard<...>::getAnIndirectBarrierNode` and `InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
-* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.
-
-### Minor Analysis Improvements
-
-* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
-
-### Bug Fixes
-
-* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.0
+lastReleaseVersion: 7.1.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.1-dev
+version: 7.1.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.5.12
-
-No user-facing changes.
-
 ## 1.5.11

 No user-facing changes.
--- a/cpp/ql/src/change-notes/released/1.5.12.md
+++ b/cpp/ql/src/change-notes/released/1.5.12.md
@@ -1,3 +0,0 @@
-## 1.5.12
-
-No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.12
+lastReleaseVersion: 1.5.11
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.13-dev
+version: 1.5.12-dev
 groups:
  - cpp
  - queries
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
@@ -116,16 +116,41 @@ namespace Semmle.Extraction.CSharp.DependencyFetching

            HashSet<string>? explicitFeeds = null;
            HashSet<string>? allFeeds = null;
+            HashSet<string>? reachableFeeds = [];

            try
            {
-                if (checkNugetFeedResponsiveness && !CheckFeeds(out explicitFeeds, out allFeeds))
+                if (checkNugetFeedResponsiveness)
                {
-                    // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too.
-                    var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds);
-                    return unresponsiveMissingPackageLocation is null
-                        ? []
-                        : [unresponsiveMissingPackageLocation];
+                    // Find feeds that are configured in NuGet.config files and divide them into ones that
+                    // are explicitly configured for the project, and "all feeds" (including inherited ones)
+                    // from other locations on the host outside of the working directory.
+                    (explicitFeeds, allFeeds) = GetAllFeeds();
+                    var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
+
+                    // If private package registries are configured for C#, then consider those
+                    // in addition to the ones that are configured in `nuget.config` files.
+                    this.dependabotProxy?.RegistryURLs.ForEach(url => explicitFeeds.Add(url));
+
+                    var (explicitFeedsReachable, reachableExplicitFeeds) =
+                        this.CheckSpecifiedFeeds(explicitFeeds);
+                    reachableFeeds.UnionWith(reachableExplicitFeeds);
+
+                    reachableFeeds.UnionWith(this.GetReachableNuGetFeeds(inheritedFeeds, isFallback: false));
+
+                    if (inheritedFeeds.Count > 0)
+                    {
+                        compilationInfoContainer.CompilationInfos.Add(("Inherited NuGet feed count", inheritedFeeds.Count.ToString()));
+                    }
+
+                    if (!explicitFeedsReachable)
+                    {
+                        // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too.
+                        var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds);
+                        return unresponsiveMissingPackageLocation is null
+                            ? []
+                            : [unresponsiveMissingPackageLocation];
+                    }
                }

                using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger))
@@ -167,9 +192,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                logger.LogError($"Failed to restore NuGet packages with nuget.exe: {exc.Message}");
            }

+            // Restore project dependencies with `dotnet restore`.
            var restoredProjects = RestoreSolutions(out var container);
            var projects = fileProvider.Projects.Except(restoredProjects);
-            RestoreProjects(projects, allFeeds, out var containers);
+            RestoreProjects(projects, reachableFeeds, out var containers);

            var dependencies = containers.Flatten(container);

@@ -192,6 +218,34 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            return assemblyLookupLocations;
        }

+        /// <summary>
+        /// Tests which of the feeds given by <paramref name="feedsToCheck"/> are reachable.
+        /// </summary>
+        /// <param name="feedsToCheck">The feeds to check.</param>
+        /// <param name="isFallback">Whether the feeds are fallback feeds or not.</param>
+        /// <returns>The list of feeds that could be reached.</returns>
+        private List<string> GetReachableNuGetFeeds(HashSet<string> feedsToCheck, bool isFallback)
+        {
+            var fallbackStr = isFallback ? "fallback " : "";
+            logger.LogInfo($"Checking {fallbackStr}NuGet feed reachability on feeds: {string.Join(", ", feedsToCheck.OrderBy(f => f))}");
+
+            var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback);
+            var reachableFeeds = feedsToCheck
+                .Where(feed => IsFeedReachable(feed, initialTimeout, tryCount, allowExceptions: false))
+                .ToList();
+
+            if (reachableFeeds.Count == 0)
+            {
+                logger.LogWarning($"No {fallbackStr}NuGet feeds are reachable.");
+            }
+            else
+            {
+                logger.LogInfo($"Reachable {fallbackStr}NuGet feeds: {string.Join(", ", reachableFeeds.OrderBy(f => f))}");
+            }
+
+            return reachableFeeds;
+        }
+
        private List<string> GetReachableFallbackNugetFeeds(HashSet<string>? feedsFromNugetConfigs)
        {
            var fallbackFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.FallbackNugetFeeds).ToHashSet();
@@ -212,21 +266,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                }
            }

-            logger.LogInfo($"Checking fallback NuGet feed reachability on feeds: {string.Join(", ", fallbackFeeds.OrderBy(f => f))}");
-            var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: true);
-            var reachableFallbackFeeds = fallbackFeeds.Where(feed => IsFeedReachable(feed, initialTimeout, tryCount, allowExceptions: false)).ToList();
-            if (reachableFallbackFeeds.Count == 0)
-            {
-                logger.LogWarning("No fallback NuGet feeds are reachable.");
-            }
-            else
-            {
-                logger.LogInfo($"Reachable fallback NuGet feeds: {string.Join(", ", reachableFallbackFeeds.OrderBy(f => f))}");
-            }
-
-            compilationInfoContainer.CompilationInfos.Add(("Reachable fallback NuGet feed count", reachableFallbackFeeds.Count.ToString()));
-
-            return reachableFallbackFeeds;
+            return GetReachableNuGetFeeds(fallbackFeeds, isFallback: true);
        }

        /// <summary>
@@ -719,42 +759,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        }

        /// <summary>
-        /// Checks that we can connect to all NuGet feeds that are explicitly configured in configuration files
-        /// as well as any private package registry feeds that are configured.
+        /// Retrieves a list of excluded NuGet feeds from the corresponding environment variable.
        /// </summary>
-        /// <param name="explicitFeeds">Outputs the set of explicit feeds.</param>
-        /// <param name="allFeeds">Outputs the set of all feeds (explicit and inherited).</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckFeeds(out HashSet<string> explicitFeeds, out HashSet<string> allFeeds)
+        private HashSet<string> GetExcludedFeeds()
        {
-            (explicitFeeds, allFeeds) = GetAllFeeds();
-            HashSet<string> feedsToCheck = explicitFeeds;
-
-            // If private package registries are configured for C#, then check those
-            // in addition to the ones that are configured in `nuget.config` files.
-            this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));
-
-            var allFeedsReachable = this.CheckSpecifiedFeeds(feedsToCheck);
-
-            var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
-            if (inheritedFeeds.Count > 0)
-            {
-                logger.LogInfo($"Inherited NuGet feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}");
-                compilationInfoContainer.CompilationInfos.Add(("Inherited NuGet feed count", inheritedFeeds.Count.ToString()));
-            }
-
-            return allFeedsReachable;
-        }
-
-        /// <summary>
-        /// Checks that we can connect to the specified NuGet feeds.
-        /// </summary>
-        /// <param name="feeds">The set of package feeds to check.</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckSpecifiedFeeds(HashSet<string> feeds)
-        {
-            logger.LogInfo("Checking that NuGet feeds are reachable...");
-
            var excludedFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.ExcludedNugetFeedsFromResponsivenessCheck)
                .ToHashSet();

@@ -763,9 +771,38 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                logger.LogInfo($"Excluded NuGet feeds from responsiveness check: {string.Join(", ", excludedFeeds.OrderBy(f => f))}");
            }

-            var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false);
+            return excludedFeeds;
+        }

-            var allFeedsReachable = feeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount));
+        /// <summary>
+        /// Checks that we can connect to the specified NuGet feeds.
+        /// </summary>
+        /// <param name="feeds">The set of package feeds to check.</param>
+        /// <returns>
+        /// True if all feeds are reachable or false otherwise.
+        /// Also returns the list of reachable feeds.
+        /// </returns>
+        private (bool, List<string>) CheckSpecifiedFeeds(HashSet<string> feeds)
+        {
+            // Exclude any feeds that are configured by the corresponding environment variable.
+            var excludedFeeds = GetExcludedFeeds();
+
+            var feedsToCheck = feeds.Where(feed => !excludedFeeds.Contains(feed)).ToHashSet();
+            var reachableFeeds = this.GetReachableNuGetFeeds(feedsToCheck, isFallback: false);
+            var allFeedsReachable = reachableFeeds.Count == feedsToCheck.Count;
+
+            this.EmitUnreachableFeedsDiagnostics(allFeedsReachable);
+
+            return (allFeedsReachable, reachableFeeds);
+        }
+
+        /// <summary>
+        /// If <paramref name="allFeedsReachable"/> is `false`, logs this and emits a diagnostic.
+        /// Adds a `CompilationInfos` entry either way.
+        /// </summary>
+        /// <param name="allFeedsReachable">Whether all feeds were reachable or not.</param>
+        private void EmitUnreachableFeedsDiagnostics(bool allFeedsReachable)
+        {
            if (!allFeedsReachable)
            {
                logger.LogWarning("Found unreachable NuGet feed in C# analysis with build-mode 'none'. This may cause missing dependencies in the analysis.");
@@ -779,8 +816,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                ));
            }
            compilationInfoContainer.CompilationInfos.Add(("All NuGet feeds reachable", allFeedsReachable ? "1" : "0"));
-
-            return allFeedsReachable;
        }

        private IEnumerable<string> GetFeeds(Func<IList<string>> getNugetFeeds)
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.60
-
-No user-facing changes.
-
 ## 1.7.59

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.60.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.60.md
@@ -1,3 +0,0 @@
-## 1.7.60
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.60
+lastReleaseVersion: 1.7.59
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.61-dev
+version: 1.7.60-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.60
-
-No user-facing changes.
-
 ## 1.7.59

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.60.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.60.md
@@ -1,3 +0,0 @@
-## 1.7.60
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.60
+lastReleaseVersion: 1.7.59
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.61-dev
+version: 1.7.60-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,14 +1,3 @@
-## 5.4.8
-
-### Minor Analysis Improvements
-
-* C# 14: Added support for partial events.
-* C# 14: Added support for the `field` keyword in properties.
-
-### Bug Fixes
-
-* Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted.
-
 ## 5.4.7

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2026-02-12-field-keyword.md
+++ b/csharp/ql/lib/change-notes/2026-02-12-field-keyword.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for the `field` keyword in properties.
--- a/csharp/ql/lib/change-notes/2026-02-16-partial-events.md
+++ b/csharp/ql/lib/change-notes/2026-02-16-partial-events.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for partial events.
--- a/csharp/ql/lib/change-notes/2026-02-23-partial-extraction-fix.md
+++ b/csharp/ql/lib/change-notes/2026-02-23-partial-extraction-fix.md
@@ -1,10 +1,4 @@
-## 5.4.8
-
-### Minor Analysis Improvements
-
-* C# 14: Added support for partial events.
-* C# 14: Added support for the `field` keyword in properties.
-
-### Bug Fixes
-
+---
+category: fix
+---
 * Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.8
+lastReleaseVersion: 5.4.7
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.9-dev
+version: 5.4.8-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.6.3
-
-No user-facing changes.
-
 ## 1.6.2

 ### Bug Fixes
--- a/csharp/ql/src/change-notes/released/1.6.3.md
+++ b/csharp/ql/src/change-notes/released/1.6.3.md
@@ -1,3 +0,0 @@
-## 1.6.3
-
-No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.2
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.4-dev
+version: 1.6.3-dev
 groups:
  - csharp
  - queries
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.24.3.rst
@@ -1,121 +0,0 @@
-.. _codeql-cli-2.24.3:
-
-==========================
-CodeQL 2.24.3 (2026-03-05)
-==========================
-
-.. contents:: Contents
-   :depth: 2
-   :local:
-   :backlinks: none
-
-This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
-
-Security Coverage
-----------------
-
-CodeQL 2.24.3 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).
-
-CodeQL CLI
----------
-
-Bug Fixes
-~~~~~~~~~
-
-*   Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips :code:`*.testproj` directories by name, preventing interference from concurrently cleaned-up test databases.
-*   Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as :code:`codeql query run`.
-
-Query Packs
-----------
-
-Minor Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Java/Kotlin
-"""""""""""
-
-*   The Java extractor and QL libraries now support Java 26.
-*   Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.
-
-Rust
-""""
-
-*   The macro resolution metric has been removed from :code:`rust/diagnostic/database-quality`. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page.
-
-Language Libraries
------------------
-
-Bug Fixes
-~~~~~~~~~
-
-C/C++
-"""""
-
-*   The :code:`allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.
-
-C#
-""
-
-*   Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted.
-
-Breaking Changes
-~~~~~~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to :code:`BarrierGuard<...>::getAnIndirectBarrierNode` and :code:`InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
-*   :code:`MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the :code:`MustFlowConfiguration` class, the user should now implement a module with the :code:`MustFlow::ConfigSig` signature, and instantiate the :code:`MustFlow::Global` parameterized module with the implemented module.
-
-Python
-""""""
-
-*   The :code:`Metrics` library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the :code:`LegacyPointsTo` module, to classes like :code:`ModuleMetricsWithPointsTo` etc. If you depend on any of these classes, you must now remember to import :code:`LegacyPointsTo`, and use the appropriate types in order to use the points-to-based functionality.
-
-Major Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Python
-""""""
-
-*   The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add :code:`overlay[local?] module;` to user-managed libraries that extend classes that are now marked as :code:`overlay[local]`.
-
-Minor Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (:code:`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
-
-C#
-""
-
-*   C# 14: Added support for partial events.
-*   C# 14: Added support for the :code:`field` keyword in properties.
-
-Java/Kotlin
-"""""""""""
-
-*   Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.
-
-JavaScript/TypeScript
-"""""""""""""""""""""
-
-*   Added support for React components wrapped by :code:`observer` from :code:`mobx-react` and :code:`mobx-react-lite`.
-
-Python
-""""""
-
-*   Added new full SSRF sanitization barrier from the new AntiSSRF library.
-*   When a guard such as :code:`isSafe(x)` is defined, we now also automatically handle :code:`isSafe(x) == true` and :code:`isSafe(x) != false`.
-
-Ruby
-""""
-
-*   We now track taint flow through :code:`Shellwords.escape` and :code:`Shellwords.shellescape` for all queries except command injection, for which they are sanitizers.
-
-Rust
-""""
-
-*   Added support for neutral models (:code:`extensible: neutralModel`) to control where generated source, sink and flow summary models apply.
--- a/docs/codeql/codeql-overview/codeql-changelog/index.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,7 +11,6 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
   :maxdepth: 1

-   codeql-cli-2.24.3
   codeql-cli-2.24.2
   codeql-cli-2.24.1
   codeql-cli-2.24.0
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.0.43
-
-No user-facing changes.
-
 ## 1.0.42

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.43.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.43.md
@@ -1,3 +0,0 @@
-## 1.0.43
-
-No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.43
+lastReleaseVersion: 1.0.42
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.44-dev
+version: 1.0.43-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 7.0.1
-
-No user-facing changes.
-
 ## 7.0.0

 ### Breaking Changes
--- a/go/ql/lib/change-notes/released/7.0.1.md
+++ b/go/ql/lib/change-notes/released/7.0.1.md
@@ -1,3 +0,0 @@
-## 7.0.1
-
-No user-facing changes.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.1
+lastReleaseVersion: 7.0.0
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.2-dev
+version: 7.0.1-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.5.7
-
-No user-facing changes.
-
 ## 1.5.6

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.5.7.md
+++ b/go/ql/src/change-notes/released/1.5.7.md
@@ -1,3 +0,0 @@
-## 1.5.7
-
-No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.7
+lastReleaseVersion: 1.5.6
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.5.8-dev
+version: 1.5.7-dev
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 8.1.1
-
-### Minor Analysis Improvements
-
-* Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.
-
 ## 8.1.0

 ### Deprecated APIs
--- a/java/ql/lib/change-notes/2026-02-12-jakarta.md
+++ b/java/ql/lib/change-notes/2026-02-12-jakarta.md
@@ -1,5 +1,4 @@
-## 8.1.1
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.1.1
+lastReleaseVersion: 8.1.0
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 8.1.2-dev
+version: 8.1.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,10 +1,3 @@
-## 1.10.8
-
-### Minor Analysis Improvements
-
-* The Java extractor and QL libraries now support Java 26.
-* Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.
-
 ## 1.10.7

 No user-facing changes.
--- a/java/ql/src/change-notes/2025-11-13-maven-default-java-17.md
+++ b/java/ql/src/change-notes/2025-11-13-maven-default-java-17.md
@@ -1,6 +1,4 @@
-## 1.10.8
-
-### Minor Analysis Improvements
-
-* The Java extractor and QL libraries now support Java 26.
-* Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.
+---
+category: minorAnalysis
+---
+* Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.
--- a/java/ql/src/change-notes/2026-02-17-support-java-26.md
+++ b/java/ql/src/change-notes/2026-02-17-support-java-26.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The Java extractor and QL libraries now support Java 26.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.10.8
+lastReleaseVersion: 1.10.7
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.10.9-dev
+version: 1.10.8-dev
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 2.6.23
-
-### Minor Analysis Improvements
-
-* Added support for React components wrapped by `observer` from `mobx-react` and `mobx-react-lite`.
-
 ## 2.6.22

 No user-facing changes.
--- a/javascript/ql/lib/change-notes/2026-02-20-mobx-react-observer.md
+++ b/javascript/ql/lib/change-notes/2026-02-20-mobx-react-observer.md
@@ -1,5 +1,4 @@
-## 2.6.23
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Added support for React components wrapped by `observer` from `mobx-react` and `mobx-react-lite`.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.23
+lastReleaseVersion: 2.6.22
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.24-dev
+version: 2.6.23-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 2.3.3
-
-No user-facing changes.
-
 ## 2.3.2

 No user-facing changes.
--- a/javascript/ql/src/change-notes/released/2.3.3.md
+++ b/javascript/ql/src/change-notes/released/2.3.3.md
@@ -1,3 +0,0 @@
-## 2.3.3
-
-No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.3
+lastReleaseVersion: 2.3.2
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.4-dev
+version: 2.3.3-dev
 groups:
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.0.43
-
-No user-facing changes.
-
 ## 1.0.42

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/1.0.43.md
+++ b/misc/suite-helpers/change-notes/released/1.0.43.md
@@ -1,3 +0,0 @@
-## 1.0.43
-
-No user-facing changes.
--- a/misc/suite-helpers/codeql-pack.release.yml
+++ b/misc/suite-helpers/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.43
+lastReleaseVersion: 1.0.42
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.44-dev
+version: 1.0.43-dev
 groups: shared
 warnOnImplicitThis: true
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,18 +1,3 @@
-## 7.0.0
-
-### Breaking Changes
-
- The `Metrics` library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the `LegacyPointsTo` module, to classes like `ModuleMetricsWithPointsTo` etc. If you depend on any of these classes, you must now remember to import `LegacyPointsTo`, and use the appropriate types in order to use the points-to-based functionality.
-
-### Major Analysis Improvements
-
- The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add `overlay[local?] module;` to user-managed libraries that extend classes that are now marked as `overlay[local]`.
-
-### Minor Analysis Improvements
-
-* Added new full SSRF sanitization barrier from the new AntiSSRF library. 
-* When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`.
-
 ## 6.1.1

 ### Minor Analysis Improvements
@@ -22,7 +7,7 @@

 ### Bug Fixes

- Using `=` as a fill character in a format specifier (e.g. `f"{x:=^20}"`) now no longer results in a syntax error during parsing.
+- Using `=` as a fill character in a format specifier (e.g `f"{x:=^20}"`) now no longer results in a syntax error during parsing.

 ## 6.1.0

--- a/python/ql/lib/change-notes/2026-02-08-guards-compared-to-boolean-literals.md
+++ b/python/ql/lib/change-notes/2026-02-08-guards-compared-to-boolean-literals.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`.
--- a/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md
+++ b/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added new full SSRF sanitization barrier from the new AntiSSRF library. 
--- a/python/ql/lib/change-notes/2026-02-18-add-overlay-annotations.md
+++ b/python/ql/lib/change-notes/2026-02-18-add-overlay-annotations.md
@@ -0,0 +1,5 @@
+---
+category: majorAnalysis
+---
+
+- The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add `overlay[local?] module;` to user-managed libraries that extend classes that are now marked as `overlay[local]`.
--- a/python/ql/lib/change-notes/2026-02-18-remove-points-to-from-metrics.md
+++ b/python/ql/lib/change-notes/2026-02-18-remove-points-to-from-metrics.md
@@ -0,0 +1,5 @@
+---
+category: breaking
+---
+
+- The `Metrics` library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the `LegacyPointsTo` module, to classes like `ModuleMetricsWithPointsTo` etc. If you depend on any of these classes, you must now remember to import `LegacyPointsTo`, and use the appropriate types in order to use the points-to-based functionality.
--- a/python/ql/lib/change-notes/released/7.0.0.md
+++ b/python/ql/lib/change-notes/released/7.0.0.md
@@ -1,14 +0,0 @@
-## 7.0.0
-
-### Breaking Changes
-
- The `Metrics` library no longer contains code that depends on the points-to analysis. The removed functionality has instead been moved to the `LegacyPointsTo` module, to classes like `ModuleMetricsWithPointsTo` etc. If you depend on any of these classes, you must now remember to import `LegacyPointsTo`, and use the appropriate types in order to use the points-to-based functionality.
-
-### Major Analysis Improvements
-
- The CodeQL Python libraries have been updated to be compatible with overlay evaluation. This should result in a significant speedup on analyses for which a base database already exists. Note that it may be necessary to add `overlay[local?] module;` to user-managed libraries that extend classes that are now marked as `overlay[local]`.
-
-### Minor Analysis Improvements
-
-* Added new full SSRF sanitization barrier from the new AntiSSRF library. 
-* When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.0
+lastReleaseVersion: 6.1.1
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.0.1-dev
+version: 6.1.2-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.8
-
-No user-facing changes.
-
 ## 1.7.7

 No user-facing changes.
--- a/python/ql/src/change-notes/released/1.7.8.md
+++ b/python/ql/src/change-notes/released/1.7.8.md
@@ -1,3 +0,0 @@
-## 1.7.8
-
-No user-facing changes.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.8
+lastReleaseVersion: 1.7.7
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.7.9-dev
+version: 1.7.8-dev
 groups:
  - python
  - queries
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 5.1.11
-
-### Minor Analysis Improvements
-
-* We now track taint flow through `Shellwords.escape` and `Shellwords.shellescape` for all queries except command injection, for which they are sanitizers.
-
 ## 5.1.10

 No user-facing changes.
--- a/ruby/ql/lib/change-notes/2026-02-17-flow-through-shellwords-escape-shellescape.md
+++ b/ruby/ql/lib/change-notes/2026-02-17-flow-through-shellwords-escape-shellescape.md
@@ -1,5 +1,4 @@
-## 5.1.11
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * We now track taint flow through `Shellwords.escape` and `Shellwords.shellescape` for all queries except command injection, for which they are sanitizers.
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.11
+lastReleaseVersion: 5.1.10
--- a/ruby/ql/lib/qlpack.yml
+++ b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 5.1.12-dev
+version: 5.1.11-dev
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
--- a/ruby/ql/src/CHANGELOG.md
+++ b/ruby/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.5.8
-
-No user-facing changes.
-
 ## 1.5.7

 No user-facing changes.
--- a/ruby/ql/src/change-notes/released/1.5.8.md
+++ b/ruby/ql/src/change-notes/released/1.5.8.md
@@ -1,3 +0,0 @@
-## 1.5.8
-
-No user-facing changes.
--- a/ruby/ql/src/codeql-pack.release.yml
+++ b/ruby/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.7
--- a/ruby/ql/src/qlpack.yml
+++ b/ruby/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 1.5.9-dev
+version: 1.5.8-dev
 groups:
  - ruby
  - queries
--- a/rust/ql/lib/CHANGELOG.md
+++ b/rust/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.2.7
-
-### Minor Analysis Improvements
-
-* Added support for neutral models (`extensible: neutralModel`) to control where generated source, sink and flow summary models apply.
-
 ## 0.2.6

 No user-facing changes.
--- a/rust/ql/lib/change-notes/2026-02-05-neutral-models.md
+++ b/rust/ql/lib/change-notes/2026-02-05-neutral-models.md
@@ -1,5 +1,4 @@
-## 0.2.7
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Added support for neutral models (`extensible: neutralModel`) to control where generated source, sink and flow summary models apply.
--- a/rust/ql/lib/codeql-pack.release.yml
+++ b/rust/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.7
+lastReleaseVersion: 0.2.6
--- a/rust/ql/lib/qlpack.yml
+++ b/rust/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/rust-all
-version: 0.2.8-dev
+version: 0.2.7-dev
 groups: rust
 extractor: rust
 dbscheme: rust.dbscheme
--- a/rust/ql/src/CHANGELOG.md
+++ b/rust/ql/src/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.1.28
-
-### Minor Analysis Improvements
-
-* The macro resolution metric has been removed from `rust/diagnostic/database-quality`. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page.
-
 ## 0.1.27

 No user-facing changes.
--- a/rust/ql/src/change-notes/2026-02-18-database-quality.md
+++ b/rust/ql/src/change-notes/2026-02-18-database-quality.md
@@ -1,5 +1,4 @@
-## 0.1.28
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * The macro resolution metric has been removed from `rust/diagnostic/database-quality`. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael B. Gale	791c1fa3d8	Only use reachable feeds when private registries are configured	2026-02-27 14:38:01 +00:00
Michael B. Gale	7a8e10e17e	Check reachability of inherited feeds	2026-02-27 14:32:01 +00:00
Michael B. Gale	5415bb7119	Divide up `CheckSpecifiedFeeds`	2026-02-27 14:30:57 +00:00
Michael B. Gale	27ff77e578	Use `explicitFeeds` directly	2026-02-27 14:25:58 +00:00
Michael B. Gale	acba599217	Inline `CheckFeeds`	2026-02-27 14:24:55 +00:00
Michael B. Gale	ddcd9d5ced	Use `GetReachableNuGetFeeds` in `CheckSpecifiedFeeds`	2026-02-27 14:23:03 +00:00
Michael B. Gale	1ceb4208dd	Refactor `GetReachableNuGetFeeds` out of `GetReachableFallbackNugetFeeds`	2026-02-27 14:17:29 +00:00