Merge pull request #21809 from github/tausbn/yeast-add-support-for-desugaring-phases

Yeast: Two small improvements
Merge pull request #21794 from github/post-release-prep/codeql-cli-2.25.4
2026-05-26 17:11:24 +02:00 · 2026-05-07 19:00:44 +02:00 · 2026-05-07 14:43:24 +02:00 · 2026-05-07 12:35:46 +00:00 · 2026-05-07 13:48:12 +02:00 · 2026-05-06 21:17:31 +00:00
241 changed files with 6270 additions and 937 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -240,9 +240,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.37"
+version = "1.2.61"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
+checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -416,6 +416,7 @@ dependencies = [
 "tree-sitter",
 "tree-sitter-json",
 "tree-sitter-ql",
+ "yeast",
 "zstd",
 ]

@@ -754,9 +755,9 @@ dependencies = [

 [[package]]
 name = "find-msvc-tools"
-version = "0.1.1"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"

 [[package]]
 name = "fixedbitset"
@@ -2853,9 +2854,9 @@ dependencies = [

 [[package]]
 name = "tree-sitter"
-version = "0.25.9"
+version = "0.26.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa"
+checksum = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538"
 dependencies = [
 "cc",
 "regex",
@@ -2891,6 +2892,16 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"

+[[package]]
+name = "tree-sitter-python"
+version = "0.23.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04"
+dependencies = [
+ "cc",
+ "tree-sitter-language",
+]
+
 [[package]]
 name = "tree-sitter-ql"
 version = "0.23.1"
@@ -3367,6 +3378,29 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"

+[[package]]
+name = "yeast"
+version = "0.1.0"
+dependencies = [
+ "clap",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "tree-sitter",
+ "tree-sitter-python",
+ "tree-sitter-ruby",
+ "yeast-macros",
+]
+
+[[package]]
+name = "yeast-macros"
+version = "0.1.0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "yoke"
 version = "0.8.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,6 +4,8 @@
 resolver = "2"
 members = [
    "shared/tree-sitter-extractor",
+    "shared/yeast",
+    "shared/yeast-macros",
    "ruby/extractor",
    "rust/extractor",
    "rust/extractor/macros",
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -141,14 +141,16 @@ use_repo(
    "vendor_ts__serde-1.0.228",
    "vendor_ts__serde_json-1.0.145",
    "vendor_ts__serde_with-3.14.1",
+    "vendor_ts__serde_yaml-0.9.34-deprecated",
    "vendor_ts__syn-2.0.106",
    "vendor_ts__toml-0.9.7",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
    "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.25.9",
+    "vendor_ts__tree-sitter-0.26.8",
    "vendor_ts__tree-sitter-embedded-template-0.25.0",
    "vendor_ts__tree-sitter-json-0.24.8",
+    "vendor_ts__tree-sitter-python-0.23.6",
    "vendor_ts__tree-sitter-ql-0.23.1",
    "vendor_ts__tree-sitter-ruby-0.23.1",
    "vendor_ts__triomphe-0.1.14",
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.35
+
+No user-facing changes.
+
 ## 0.4.34

 ### Minor Analysis Improvements
--- a/actions/ql/lib/change-notes/released/0.4.35.md
+++ b/actions/ql/lib/change-notes/released/0.4.35.md
@@ -0,0 +1,3 @@
+## 0.4.35
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.34
+lastReleaseVersion: 0.4.35
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.35-dev
+version: 0.4.36-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.27
+
+No user-facing changes.
+
 ## 0.6.26

 ### Major Analysis Improvements
@@ -173,7 +177,7 @@ No user-facing changes.
  * `actions/if-expression-always-true/critical`
  * `actions/if-expression-always-true/high`
  * `actions/unnecessary-use-of-advanced-config`
-
+  
 * The following query has been moved from the `code-scanning` suite to the `security-extended`
  suite. Any existing alerts for this query will be closed automatically unless the analysis is
  configured to use the `security-extended` suite.
--- a/actions/ql/src/change-notes/released/0.6.27.md
+++ b/actions/ql/src/change-notes/released/0.6.27.md
@@ -0,0 +1,3 @@
+## 0.6.27
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.26
+lastReleaseVersion: 0.6.27
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.27-dev
+version: 0.6.28-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 10.1.0
+
+### New Features
+
+* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
+
+### Minor Analysis Improvements
+
+* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
+
 ## 10.0.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
+++ b/cpp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
--- a/cpp/ql/lib/change-notes/2026-03-28-switch-stmt.md
+++ b/cpp/ql/lib/change-notes/2026-03-28-switch-stmt.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
--- a/cpp/ql/lib/change-notes/2026-04-28-strsafe.md
+++ b/cpp/ql/lib/change-notes/2026-04-28-strsafe.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
--- a/cpp/ql/lib/change-notes/released/10.1.0.md
+++ b/cpp/ql/lib/change-notes/released/10.1.0.md
@@ -0,0 +1,10 @@
+## 10.1.0
+
+### New Features
+
+* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
+
+### Minor Analysis Improvements
+
+* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.0.0
+lastReleaseVersion: 10.1.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.0.1-dev
+version: 10.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.6.2
+
+No user-facing changes.
+
 ## 1.6.1

 ### Minor Analysis Improvements
@@ -366,7 +370,7 @@ No user-facing changes.
 ### Minor Analysis Improvements

 * The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
-* Added dataflow models for the `gettext` function variants.
+* Added dataflow models for the `gettext` function variants. 

 ## 0.9.4

--- a/cpp/ql/src/change-notes/released/1.6.2.md
+++ b/cpp/ql/src/change-notes/released/1.6.2.md
@@ -0,0 +1,3 @@
+## 1.6.2
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.1
+lastReleaseVersion: 1.6.2
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.2-dev
+version: 1.6.3-dev
 groups:
  - cpp
  - queries
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.66
+
+No user-facing changes.
+
 ## 1.7.65

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.66.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.66.md
@@ -0,0 +1,3 @@
+## 1.7.66
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.65
+lastReleaseVersion: 1.7.66
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.66-dev
+version: 1.7.67-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.66
+
+No user-facing changes.
+
 ## 1.7.65

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.66.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.66.md
@@ -0,0 +1,3 @@
+## 1.7.66
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.65
+lastReleaseVersion: 1.7.66
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.66-dev
+version: 1.7.67-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,42 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The C# control flow graph (CFG) implementation has been completely
+  rewritten. The CFG now includes additional nodes to more accurately represent
+  certain constructs. This also means that any existing code that implicitly
+  relies on very specific details about the CFG may need to be updated.
+  The CFG no longer uses splitting, which means that AST nodes now have a unique
+  CFG node representation.
+  Additionally, the following breaking changes have been made:
+  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
+  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
+  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
+  - `BasicBlocks.qll` has been deleted.
+  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
+    mapping remains one-to-many, but now for a different reason. It used to be
+    because of splitting, but now it's because of additional "helper" CFG
+    nodes. To get the (now canonical) CFG node for a given AST node, use
+    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
+    `ControlFlowElement.getControlFlowNode()` instead.
+
+### Deprecated APIs
+
+* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
+
+### Major Analysis Improvements
+
+* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
+
+### Minor Analysis Improvements
+
+* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
+* C# 14: Added support for user-defined compound assignment operators.
+
 ## 5.5.0

 ### Deprecated APIs
--- a/csharp/ql/lib/change-notes/2026-03-06-compound-assignment-operations.md
+++ b/csharp/ql/lib/change-notes/2026-03-06-compound-assignment-operations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C# 14: Added support for user-defined compound assignment operators.
--- a/csharp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
+++ b/csharp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
--- a/csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md
+++ b/csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
--- a/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md
+++ b/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
--- a/csharp/ql/lib/change-notes/2026-04-13-cfg.md
+++ b/csharp/ql/lib/change-notes/2026-04-13-cfg.md
@@ -1,20 +0,0 @@
---
-category: breaking
---
-* The C# control flow graph (CFG) implementation has been completely
-  rewritten. The CFG now includes additional nodes to more accurately represent
-  certain constructs. This also means that any existing code that implicitly
-  relies on very specific details about the CFG may need to be updated.
-  The CFG no longer uses splitting, which means that AST nodes now have a unique
-  CFG node representation.
-  Additionally, the following breaking changes have been made:
-  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
-  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
-  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
-  - `BasicBlocks.qll` has been deleted.
-  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
-    mapping remains one-to-many, but now for a different reason. It used to be
-    because of splitting, but now it's because of additional "helper" CFG
-    nodes. To get the (now canonical) CFG node for a given AST node, use
-    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
-    `ControlFlowElement.getControlFlowNode()` instead.
--- a/csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md
+++ b/csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
--- a/csharp/ql/lib/change-notes/released/6.0.0.md
+++ b/csharp/ql/lib/change-notes/released/6.0.0.md
@@ -0,0 +1,38 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The C# control flow graph (CFG) implementation has been completely
+  rewritten. The CFG now includes additional nodes to more accurately represent
+  certain constructs. This also means that any existing code that implicitly
+  relies on very specific details about the CFG may need to be updated.
+  The CFG no longer uses splitting, which means that AST nodes now have a unique
+  CFG node representation.
+  Additionally, the following breaking changes have been made:
+  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
+  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
+  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
+  - `BasicBlocks.qll` has been deleted.
+  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
+    mapping remains one-to-many, but now for a different reason. It used to be
+    because of splitting, but now it's because of additional "helper" CFG
+    nodes. To get the (now canonical) CFG node for a given AST node, use
+    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
+    `ControlFlowElement.getControlFlowNode()` instead.
+
+### Deprecated APIs
+
+* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
+
+### Major Analysis Improvements
+
+* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
+
+### Minor Analysis Improvements
+
+* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
+* C# 14: Added support for user-defined compound assignment operators.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.5.0
+lastReleaseVersion: 6.0.0
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.5.1-dev
+version: 6.0.1-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.2
+
+No user-facing changes.
+
 ## 1.7.1

 ### Minor Analysis Improvements
--- a/csharp/ql/src/change-notes/released/1.7.2.md
+++ b/csharp/ql/src/change-notes/released/1.7.2.md
@@ -0,0 +1,3 @@
+## 1.7.2
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.1
+lastReleaseVersion: 1.7.2
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.2-dev
+version: 1.7.3-dev
 groups:
  - csharp
  - queries
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.49
+
+No user-facing changes.
+
 ## 1.0.48

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.49.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.49.md
@@ -0,0 +1,3 @@
+## 1.0.49
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.48
+lastReleaseVersion: 1.0.49
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.49-dev
+version: 1.0.50-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 7.1.0
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Go](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-go/).
+
 ## 7.0.6

 No user-facing changes.
--- a/go/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
+++ b/go/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
@@ -1,4 +1,5 @@
---
-category: feature
---
+## 7.1.0
+
+### New Features
+
 * Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Go](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-go/).
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.6
+lastReleaseVersion: 7.1.0
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.7-dev
+version: 7.1.1-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.6.2
+
+No user-facing changes.
+
 ## 1.6.1

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.6.2.md
+++ b/go/ql/src/change-notes/released/1.6.2.md
@@ -0,0 +1,3 @@
+## 1.6.2
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.1
+lastReleaseVersion: 1.6.2
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.2-dev
+version: 1.6.3-dev
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 9.1.0
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).
+
+### Minor Analysis Improvements
+
+* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
+* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.
+* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.
+* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).
+* The `java/sensitive-log` query now treats method calls whose names contain "encrypt", "hash", or "digest" as sanitizers, consistent with the existing treatment in `java/cleartext-storage-in-log`. This reduces false positives when sensitive data is hashed or encrypted before logging.
+* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.
+
 ## 9.0.4

 ### Minor Analysis Improvements
--- a/java/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
+++ b/java/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).
--- a/java/ql/lib/change-notes/2026-04-04-path-injection-torealpath.md
+++ b/java/ql/lib/change-notes/2026-04-04-path-injection-torealpath.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.
--- a/java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md
+++ b/java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).
--- a/java/ql/lib/change-notes/2026-04-04-sensitive-log-hash-sanitizer.md
+++ b/java/ql/lib/change-notes/2026-04-04-sensitive-log-hash-sanitizer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/sensitive-log` query now treats method calls whose names contain "encrypt", "hash", or "digest" as sanitizers, consistent with the existing treatment in `java/cleartext-storage-in-log`. This reduces false positives when sensitive data is hashed or encrypted before logging.
--- a/java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md
+++ b/java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.
--- a/java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md
+++ b/java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.
--- a/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
+++ b/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
--- a/java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md
+++ b/java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`.
--- a/java/ql/lib/change-notes/released/9.1.0.md
+++ b/java/ql/lib/change-notes/released/9.1.0.md
@@ -0,0 +1,14 @@
+## 9.1.0
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).
+
+### Minor Analysis Improvements
+
+* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
+* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.
+* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.
+* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).
+* The `java/sensitive-log` query now treats method calls whose names contain "encrypt", "hash", or "digest" as sanitizers, consistent with the existing treatment in `java/cleartext-storage-in-log`. This reduces false positives when sensitive data is hashed or encrypted before logging.
+* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.0.4
+lastReleaseVersion: 9.1.0
--- a/java/ql/lib/ext/org.apache.http.client.model.yml
+++ b/java/ql/lib/ext/org.apache.http.client.model.yml
@@ -3,11 +3,6 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.0.5-dev
+version: 9.1.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.11.2
+
+No user-facing changes.
+
 ## 1.11.1

 No user-facing changes.
--- a/java/ql/src/change-notes/released/1.11.2.md
+++ b/java/ql/src/change-notes/released/1.11.2.md
@@ -0,0 +1,3 @@
+## 1.11.2
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.11.1
+lastReleaseVersion: 1.11.2
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.2-dev
+version: 1.11.3-dev
 groups:
  - java
  - queries
--- a/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
+++ b/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
@@ -1,195 +0,0 @@
-import java.io.IOException;
-import java.net.URI;
-
-import org.apache.http.Header;
-import org.apache.http.HeaderIterator;
-import org.apache.http.HttpHost;
-import org.apache.http.HttpRequest;
-import org.apache.http.HttpResponse;
-import org.apache.http.ProtocolVersion;
-import org.apache.http.RequestLine;
-import org.apache.http.client.HttpClient;
-import org.apache.http.client.ResponseHandler;
-import org.apache.http.client.methods.HttpUriRequest;
-import org.apache.http.message.BasicHttpRequest;
-import org.apache.http.params.HttpParams;
-import org.apache.http.protocol.HttpContext;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class ApacheHttpClientExecuteSSRF extends HttpServlet {
-
-    protected void doGet(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        try {
-
-            String sink = request.getParameter("host"); // $ Source
-
-            HttpHost host = new HttpHost(sink);
-            HttpRequest req = new BasicHttpRequest("GET", "/");
-            HttpUriRequest uriReq = new HttpUriRequest() {
-                @Override
-                public String getMethod() {
-                    return "GET";
-                }
-
-                @Override
-                public URI getURI() {
-                    return URI.create("https://" + sink);
-                }
-
-                @Override
-                public void abort() throws UnsupportedOperationException {
-                }
-
-                @Override
-                public boolean isAborted() {
-                    return false;
-                }
-
-                @Override
-                public RequestLine getRequestLine() {
-                    return null;
-                }
-
-                @Override
-                public ProtocolVersion getProtocolVersion() {
-                    return null;
-                }
-
-                @Override
-                public boolean containsHeader(String name) {
-                    return false;
-                }
-
-                @Override
-                public Header[] getHeaders(String name) {
-                    return null;
-                }
-
-                @Override
-                public Header getFirstHeader(String name) {
-                    return null;
-                }
-
-                @Override
-                public Header getLastHeader(String name) {
-                    return null;
-                }
-
-                @Override
-                public Header[] getAllHeaders() {
-                    return null;
-                }
-
-                @Override
-                public void addHeader(Header header) {
-                }
-
-                @Override
-                public void addHeader(String name, String value) {
-                }
-
-                @Override
-                public void setHeader(Header header) {
-                }
-
-                @Override
-                public void setHeader(String name, String value) {
-                }
-
-                @Override
-                public void setHeaders(Header[] headers) {
-                }
-
-                @Override
-                public void removeHeader(Header header) {
-                }
-
-                @Override
-                public void removeHeaders(String name) {
-                }
-
-                @Override
-                public HeaderIterator headerIterator() {
-                    return null;
-                }
-
-                @Override
-                public HeaderIterator headerIterator(String name) {
-                    return null;
-                }
-
-                @Override
-                public HttpParams getParams() {
-                    return null;
-                }
-
-                @Override
-                public void setParams(HttpParams params) {
-                }
-            };
-            HttpContext context = null;
-            HttpClient client = new HttpClient() {
-                @Override
-                public HttpResponse execute(HttpHost target, HttpRequest request) throws IOException {
-                    return null;
-                }
-
-                @Override
-                public HttpResponse execute(HttpHost target, HttpRequest request, HttpContext context) throws IOException {
-                    return null;
-                }
-
-                @Override
-                public <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler)
-                        throws IOException {
-                    return null;
-                }
-
-                @Override
-                public <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler,
-                        HttpContext context) throws IOException {
-                    return null;
-                }
-
-                @Override
-                public HttpResponse execute(HttpUriRequest request) throws IOException {
-                    return null;
-                }
-
-                @Override
-                public HttpResponse execute(HttpUriRequest request, HttpContext context) throws IOException {
-                    return null;
-                }
-
-                @Override
-                public <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler)
-                        throws IOException {
-                    return null;
-                }
-
-                @Override
-                public <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler,
-                        HttpContext context) throws IOException {
-                    return null;
-                }
-            };
-            ResponseHandler<Object> handler = null;
-
-            client.execute(host, req); // $ Alert
-            client.execute(host, req, context); // $ Alert
-            client.execute(host, req, handler); // $ Alert
-            client.execute(host, req, handler, context); // $ Alert
-            client.execute(uriReq); // $ Alert
-            client.execute(uriReq, context); // $ Alert
-            client.execute(uriReq, handler); // $ Alert
-            client.execute(uriReq, handler, context); // $ Alert
-
-        } catch (Exception e) {
-            // TODO: handle exception
-        }
-    }
-}
--- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
+++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
--- a/java/ql/test/query-tests/security/CWE-918/options
+++ b/java/ql/test/query-tests/security/CWE-918/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/apache-http-client-4.4.13:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf
--- a/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java
+++ b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java
@@ -1,23 +0,0 @@
-// Generated automatically from org.apache.http.client.HttpClient for testing purposes
-
-package org.apache.http.client;
-
-import java.io.IOException;
-import org.apache.http.HttpHost;
-import org.apache.http.HttpRequest;
-import org.apache.http.HttpResponse;
-import org.apache.http.client.methods.HttpUriRequest;
-import org.apache.http.protocol.HttpContext;
-
-public interface HttpClient {
-    HttpResponse execute(HttpHost target, HttpRequest request) throws IOException;
-    HttpResponse execute(HttpHost target, HttpRequest request, HttpContext context) throws IOException;
-    <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler) throws IOException;
-    <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler, HttpContext context)
-            throws IOException;
-    HttpResponse execute(HttpUriRequest request) throws IOException;
-    HttpResponse execute(HttpUriRequest request, HttpContext context) throws IOException;
-    <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler) throws IOException;
-    <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler, HttpContext context)
-            throws IOException;
-}
--- a/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java
+++ b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java
@@ -1,9 +0,0 @@
-// Generated automatically from org.apache.http.client.ResponseHandler for testing purposes
-
-package org.apache.http.client;
-
-import org.apache.http.HttpResponse;
-
-public interface ResponseHandler<T> {
-    T handleResponse(HttpResponse response);
-}
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 2.7.0
+
+### New Features
+
+* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
+
 ## 2.6.28

 No user-facing changes.
--- a/javascript/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
+++ b/javascript/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
--- a/javascript/ql/lib/change-notes/2026-04-12-vercel-node.md
+++ b/javascript/ql/lib/change-notes/2026-04-12-vercel-node.md
@@ -1,4 +1,6 @@
---
-category: feature
---
+## 2.7.0
+
+### New Features
+
 * Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.28
+lastReleaseVersion: 2.7.0
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.29-dev
+version: 2.7.1-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.3.9
+
+No user-facing changes.
+
 ## 2.3.8

 ### Minor Analysis Improvements
--- a/javascript/ql/src/change-notes/released/2.3.9.md
+++ b/javascript/ql/src/change-notes/released/2.3.9.md
@@ -0,0 +1,3 @@
+## 2.3.9
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.8
+lastReleaseVersion: 2.3.9
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.9-dev
+version: 2.3.10-dev
 groups:
  - javascript
  - queries
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel
@@ -529,6 +529,18 @@ alias(
    tags = ["manual"],
 )

+alias(
+    name = "serde_yaml-0.9.34+deprecated",
+    actual = "@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml",
+    tags = ["manual"],
+)
+
+alias(
+    name = "serde_yaml",
+    actual = "@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml",
+    tags = ["manual"],
+)
+
 alias(
    name = "syn-2.0.106",
    actual = "@vendor_ts__syn-2.0.106//:syn",
@@ -590,14 +602,14 @@ alias(
 )

 alias(
-    name = "tree-sitter-0.25.9",
-    actual = "@vendor_ts__tree-sitter-0.25.9//:tree_sitter",
+    name = "tree-sitter-0.26.8",
+    actual = "@vendor_ts__tree-sitter-0.26.8//:tree_sitter",
    tags = ["manual"],
 )

 alias(
    name = "tree-sitter",
-    actual = "@vendor_ts__tree-sitter-0.25.9//:tree_sitter",
+    actual = "@vendor_ts__tree-sitter-0.26.8//:tree_sitter",
    tags = ["manual"],
 )

@@ -625,6 +637,18 @@ alias(
    tags = ["manual"],
 )

+alias(
+    name = "tree-sitter-python-0.23.6",
+    actual = "@vendor_ts__tree-sitter-python-0.23.6//:tree_sitter_python",
+    tags = ["manual"],
+)
+
+alias(
+    name = "tree-sitter-python",
+    actual = "@vendor_ts__tree-sitter-python-0.23.6//:tree_sitter_python",
+    tags = ["manual"],
+)
+
 alias(
    name = "tree-sitter-ql-0.23.1",
    actual = "@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql",
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.61.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.61.bazel
@@ -96,9 +96,9 @@ rust_library(
        "@rules_rust//rust/platform:x86_64-unknown-uefi": [],
        "//conditions:default": ["@platforms//:incompatible"],
    }),
-    version = "1.2.37",
+    version = "1.2.61",
    deps = [
-        "@vendor_ts__find-msvc-tools-0.1.1//:find_msvc_tools",
+        "@vendor_ts__find-msvc-tools-0.1.9//:find_msvc_tools",
        "@vendor_ts__jobserver-0.1.34//:jobserver",
        "@vendor_ts__shlex-1.3.0//:shlex",
    ] + select({
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.find-msvc-tools-0.1.9.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.find-msvc-tools-0.1.9.bazel
@@ -93,5 +93,5 @@ rust_library(
        "@rules_rust//rust/platform:x86_64-unknown-uefi": [],
        "//conditions:default": ["@platforms//:incompatible"],
    }),
-    version = "0.1.1",
+    version = "0.1.9",
 )
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel
@@ -154,7 +154,7 @@ cargo_build_script(
    version = "0.1.2",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
    ],
 )

--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.26.8.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.26.8.bazel
@@ -101,12 +101,12 @@ rust_library(
        "@rules_rust//rust/platform:x86_64-unknown-uefi": [],
        "//conditions:default": ["@platforms//:incompatible"],
    }),
-    version = "0.25.9",
+    version = "0.26.8",
    deps = [
        "@vendor_ts__regex-1.11.3//:regex",
        "@vendor_ts__regex-syntax-0.8.6//:regex_syntax",
        "@vendor_ts__streaming-iterator-0.1.9//:streaming_iterator",
-        "@vendor_ts__tree-sitter-0.25.9//:build_script_build",
+        "@vendor_ts__tree-sitter-0.26.8//:build_script_build",
        "@vendor_ts__tree-sitter-language-0.1.5//:tree_sitter_language",
    ],
 )
@@ -164,10 +164,10 @@ cargo_build_script(
        "noclippy",
        "norustfmt",
    ],
-    version = "0.25.9",
+    version = "0.26.8",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
        "@vendor_ts__serde_json-1.0.145//:serde_json",
    ],
 )
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.25.0.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.25.0.bazel
@@ -155,7 +155,7 @@ cargo_build_script(
    version = "0.25.0",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
    ],
 )

--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel
@@ -155,7 +155,7 @@ cargo_build_script(
    version = "0.24.8",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
    ],
 )

--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-python-0.23.6.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-python-0.23.6.bazel
@@ -0,0 +1,166 @@
+###############################################################################
+# @generated
+# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To
+# regenerate this file, run the following:
+#
+#     bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors
+###############################################################################
+
+load(
+    "@rules_rust//cargo:defs.bzl",
+    "cargo_build_script",
+    "cargo_toml_env_vars",
+)
+load("@rules_rust//rust:defs.bzl", "rust_library")
+
+package(default_visibility = ["//visibility:public"])
+
+cargo_toml_env_vars(
+    name = "cargo_toml_env_vars",
+    src = "Cargo.toml",
+)
+
+rust_library(
+    name = "tree_sitter_python",
+    srcs = glob(
+        include = ["**/*.rs"],
+        allow_empty = True,
+    ),
+    compile_data = glob(
+        include = ["**"],
+        allow_empty = True,
+        exclude = [
+            "**/* *",
+            ".tmp_git_root/**/*",
+            "BUILD",
+            "BUILD.bazel",
+            "WORKSPACE",
+            "WORKSPACE.bazel",
+        ],
+    ),
+    crate_root = "bindings/rust/lib.rs",
+    edition = "2021",
+    rustc_env_files = [
+        ":cargo_toml_env_vars",
+    ],
+    rustc_flags = [
+        "--cap-lints=allow",
+    ],
+    tags = [
+        "cargo-bazel",
+        "crate-name=tree-sitter-python",
+        "manual",
+        "noclippy",
+        "norustfmt",
+    ],
+    target_compatible_with = select({
+        "@rules_rust//rust/platform:aarch64-apple-darwin": [],
+        "@rules_rust//rust/platform:aarch64-apple-ios": [],
+        "@rules_rust//rust/platform:aarch64-apple-ios-sim": [],
+        "@rules_rust//rust/platform:aarch64-linux-android": [],
+        "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [],
+        "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [],
+        "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [],
+        "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [],
+        "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [],
+        "@rules_rust//rust/platform:aarch64-unknown-uefi": [],
+        "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [],
+        "@rules_rust//rust/platform:arm-unknown-linux-musleabi": [],
+        "@rules_rust//rust/platform:armv7-linux-androideabi": [],
+        "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [],
+        "@rules_rust//rust/platform:i686-apple-darwin": [],
+        "@rules_rust//rust/platform:i686-linux-android": [],
+        "@rules_rust//rust/platform:i686-pc-windows-msvc": [],
+        "@rules_rust//rust/platform:i686-unknown-freebsd": [],
+        "@rules_rust//rust/platform:i686-unknown-linux-gnu": [],
+        "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [],
+        "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [],
+        "@rules_rust//rust/platform:riscv64gc-unknown-linux-gnu": [],
+        "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [],
+        "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [],
+        "@rules_rust//rust/platform:thumbv7em-none-eabi": [],
+        "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [],
+        "@rules_rust//rust/platform:wasm32-unknown-emscripten": [],
+        "@rules_rust//rust/platform:wasm32-unknown-unknown": [],
+        "@rules_rust//rust/platform:wasm32-wasip1": [],
+        "@rules_rust//rust/platform:wasm32-wasip1-threads": [],
+        "@rules_rust//rust/platform:wasm32-wasip2": [],
+        "@rules_rust//rust/platform:x86_64-apple-darwin": [],
+        "@rules_rust//rust/platform:x86_64-apple-ios": [],
+        "@rules_rust//rust/platform:x86_64-linux-android": [],
+        "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [],
+        "@rules_rust//rust/platform:x86_64-unknown-freebsd": [],
+        "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [],
+        "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [],
+        "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [],
+        "@rules_rust//rust/platform:x86_64-unknown-none": [],
+        "@rules_rust//rust/platform:x86_64-unknown-uefi": [],
+        "//conditions:default": ["@platforms//:incompatible"],
+    }),
+    version = "0.23.6",
+    deps = [
+        "@vendor_ts__tree-sitter-language-0.1.5//:tree_sitter_language",
+        "@vendor_ts__tree-sitter-python-0.23.6//:build_script_build",
+    ],
+)
+
+cargo_build_script(
+    name = "_bs",
+    srcs = glob(
+        include = ["**/*.rs"],
+        allow_empty = True,
+    ),
+    compile_data = glob(
+        include = ["**"],
+        allow_empty = True,
+        exclude = [
+            "**/* *",
+            "**/*.rs",
+            ".tmp_git_root/**/*",
+            "BUILD",
+            "BUILD.bazel",
+            "WORKSPACE",
+            "WORKSPACE.bazel",
+        ],
+    ),
+    crate_name = "build_script_build",
+    crate_root = "bindings/rust/build.rs",
+    data = glob(
+        include = ["**"],
+        allow_empty = True,
+        exclude = [
+            "**/* *",
+            ".tmp_git_root/**/*",
+            "BUILD",
+            "BUILD.bazel",
+            "WORKSPACE",
+            "WORKSPACE.bazel",
+        ],
+    ),
+    edition = "2021",
+    pkg_name = "tree-sitter-python",
+    rustc_env_files = [
+        ":cargo_toml_env_vars",
+    ],
+    rustc_flags = [
+        "--cap-lints=allow",
+    ],
+    tags = [
+        "cargo-bazel",
+        "crate-name=tree-sitter-python",
+        "manual",
+        "noclippy",
+        "norustfmt",
+    ],
+    version = "0.23.6",
+    visibility = ["//visibility:private"],
+    deps = [
+        "@vendor_ts__cc-1.2.61//:cc",
+    ],
+)
+
+alias(
+    name = "build_script_build",
+    actual = ":_bs",
+    tags = ["manual"],
+)
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel
@@ -155,7 +155,7 @@ cargo_build_script(
    version = "0.23.1",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
    ],
 )

--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel
@@ -155,7 +155,7 @@ cargo_build_script(
    version = "0.23.1",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
    ],
 )

--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.16+zstd.1.5.7.bazel
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.16+zstd.1.5.7.bazel
@@ -165,7 +165,7 @@ cargo_build_script(
    version = "2.0.16+zstd.1.5.7",
    visibility = ["//visibility:private"],
    deps = [
-        "@vendor_ts__cc-1.2.37//:cc",
+        "@vendor_ts__cc-1.2.61//:cc",
        "@vendor_ts__pkg-config-0.3.32//:pkg_config",
    ],
 )
--- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl
+++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl
@@ -303,7 +303,7 @@ _NORMAL_DEPENDENCIES = {
            "serde_json": Label("@vendor_ts__serde_json-1.0.145//:serde_json"),
            "tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"),
            "tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.20//:tracing_subscriber"),
-            "tree-sitter": Label("@vendor_ts__tree-sitter-0.25.9//:tree_sitter"),
+            "tree-sitter": Label("@vendor_ts__tree-sitter-0.26.8//:tree_sitter"),
            "tree-sitter-embedded-template": Label("@vendor_ts__tree-sitter-embedded-template-0.25.0//:tree_sitter_embedded_template"),
            "tree-sitter-ruby": Label("@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby"),
        },
@@ -381,10 +381,28 @@ _NORMAL_DEPENDENCIES = {
            "serde_json": Label("@vendor_ts__serde_json-1.0.145//:serde_json"),
            "tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"),
            "tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.20//:tracing_subscriber"),
-            "tree-sitter": Label("@vendor_ts__tree-sitter-0.25.9//:tree_sitter"),
+            "tree-sitter": Label("@vendor_ts__tree-sitter-0.26.8//:tree_sitter"),
            "zstd": Label("@vendor_ts__zstd-0.13.3//:zstd"),
        },
    },
+    "shared/yeast": {
+        _COMMON_CONDITION: {
+            "clap": Label("@vendor_ts__clap-4.5.48//:clap"),
+            "serde": Label("@vendor_ts__serde-1.0.228//:serde"),
+            "serde_json": Label("@vendor_ts__serde_json-1.0.145//:serde_json"),
+            "serde_yaml": Label("@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml"),
+            "tree-sitter": Label("@vendor_ts__tree-sitter-0.26.8//:tree_sitter"),
+            "tree-sitter-python": Label("@vendor_ts__tree-sitter-python-0.23.6//:tree_sitter_python"),
+            "tree-sitter-ruby": Label("@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby"),
+        },
+    },
+    "shared/yeast-macros": {
+        _COMMON_CONDITION: {
+            "proc-macro2": Label("@vendor_ts__proc-macro2-1.0.101//:proc_macro2"),
+            "quote": Label("@vendor_ts__quote-1.0.41//:quote"),
+            "syn": Label("@vendor_ts__syn-2.0.106//:syn"),
+        },
+    },
 }

 _NORMAL_ALIASES = {
@@ -411,6 +429,14 @@ _NORMAL_ALIASES = {
        _COMMON_CONDITION: {
        },
    },
+    "shared/yeast": {
+        _COMMON_CONDITION: {
+        },
+    },
+    "shared/yeast-macros": {
+        _COMMON_CONDITION: {
+        },
+    },
 }

 _NORMAL_DEV_DEPENDENCIES = {
@@ -431,6 +457,10 @@ _NORMAL_DEV_DEPENDENCIES = {
            "tree-sitter-ql": Label("@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql"),
        },
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _NORMAL_DEV_ALIASES = {
@@ -448,6 +478,10 @@ _NORMAL_DEV_ALIASES = {
        _COMMON_CONDITION: {
        },
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _PROC_MACRO_DEPENDENCIES = {
@@ -463,6 +497,10 @@ _PROC_MACRO_DEPENDENCIES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _PROC_MACRO_ALIASES = {
@@ -478,6 +516,10 @@ _PROC_MACRO_ALIASES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _PROC_MACRO_DEV_DEPENDENCIES = {
@@ -493,6 +535,10 @@ _PROC_MACRO_DEV_DEPENDENCIES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _PROC_MACRO_DEV_ALIASES = {
@@ -510,6 +556,10 @@ _PROC_MACRO_DEV_ALIASES = {
        _COMMON_CONDITION: {
        },
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _BUILD_DEPENDENCIES = {
@@ -525,6 +575,10 @@ _BUILD_DEPENDENCIES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _BUILD_ALIASES = {
@@ -540,6 +594,10 @@ _BUILD_ALIASES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _BUILD_PROC_MACRO_DEPENDENCIES = {
@@ -555,6 +613,10 @@ _BUILD_PROC_MACRO_DEPENDENCIES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _BUILD_PROC_MACRO_ALIASES = {
@@ -570,6 +632,10 @@ _BUILD_PROC_MACRO_ALIASES = {
    },
    "shared/tree-sitter-extractor": {
    },
+    "shared/yeast": {
+    },
+    "shared/yeast-macros": {
+    },
 }

 _CONDITIONS = {
@@ -923,12 +989,12 @@ def crate_repositories():

    maybe(
        http_archive,
-        name = "vendor_ts__cc-1.2.37",
-        sha256 = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44",
+        name = "vendor_ts__cc-1.2.61",
+        sha256 = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d",
        type = "tar.gz",
-        urls = ["https://static.crates.io/crates/cc/1.2.37/download"],
-        strip_prefix = "cc-1.2.37",
-        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cc-1.2.37.bazel"),
+        urls = ["https://static.crates.io/crates/cc/1.2.61/download"],
+        strip_prefix = "cc-1.2.61",
+        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cc-1.2.61.bazel"),
    )

    maybe(
@@ -1373,12 +1439,12 @@ def crate_repositories():

    maybe(
        http_archive,
-        name = "vendor_ts__find-msvc-tools-0.1.1",
-        sha256 = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d",
+        name = "vendor_ts__find-msvc-tools-0.1.9",
+        sha256 = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582",
        type = "tar.gz",
-        urls = ["https://static.crates.io/crates/find-msvc-tools/0.1.1/download"],
-        strip_prefix = "find-msvc-tools-0.1.1",
-        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.find-msvc-tools-0.1.1.bazel"),
+        urls = ["https://static.crates.io/crates/find-msvc-tools/0.1.9/download"],
+        strip_prefix = "find-msvc-tools-0.1.9",
+        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.find-msvc-tools-0.1.9.bazel"),
    )

    maybe(
@@ -3363,12 +3429,12 @@ def crate_repositories():

    maybe(
        http_archive,
-        name = "vendor_ts__tree-sitter-0.25.9",
-        sha256 = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa",
+        name = "vendor_ts__tree-sitter-0.26.8",
+        sha256 = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538",
        type = "tar.gz",
-        urls = ["https://static.crates.io/crates/tree-sitter/0.25.9/download"],
-        strip_prefix = "tree-sitter-0.25.9",
-        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-0.25.9.bazel"),
+        urls = ["https://static.crates.io/crates/tree-sitter/0.26.8/download"],
+        strip_prefix = "tree-sitter-0.26.8",
+        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-0.26.8.bazel"),
    )

    maybe(
@@ -3401,6 +3467,16 @@ def crate_repositories():
        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-language-0.1.5.bazel"),
    )

+    maybe(
+        http_archive,
+        name = "vendor_ts__tree-sitter-python-0.23.6",
+        sha256 = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04",
+        type = "tar.gz",
+        urls = ["https://static.crates.io/crates/tree-sitter-python/0.23.6/download"],
+        strip_prefix = "tree-sitter-python-0.23.6",
+        build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-python-0.23.6.bazel"),
+    )
+
    maybe(
        http_archive,
        name = "vendor_ts__tree-sitter-ql-0.23.1",
@@ -4152,13 +4228,15 @@ def crate_repositories():
        struct(repo = "vendor_ts__serde-1.0.228", is_dev_dep = False),
        struct(repo = "vendor_ts__serde_json-1.0.145", is_dev_dep = False),
        struct(repo = "vendor_ts__serde_with-3.14.1", is_dev_dep = False),
+        struct(repo = "vendor_ts__serde_yaml-0.9.34-deprecated", is_dev_dep = False),
        struct(repo = "vendor_ts__syn-2.0.106", is_dev_dep = False),
        struct(repo = "vendor_ts__toml-0.9.7", is_dev_dep = False),
        struct(repo = "vendor_ts__tracing-0.1.41", is_dev_dep = False),
        struct(repo = "vendor_ts__tracing-flame-0.2.0", is_dev_dep = False),
        struct(repo = "vendor_ts__tracing-subscriber-0.3.20", is_dev_dep = False),
-        struct(repo = "vendor_ts__tree-sitter-0.25.9", is_dev_dep = False),
+        struct(repo = "vendor_ts__tree-sitter-0.26.8", is_dev_dep = False),
        struct(repo = "vendor_ts__tree-sitter-embedded-template-0.25.0", is_dev_dep = False),
+        struct(repo = "vendor_ts__tree-sitter-python-0.23.6", is_dev_dep = False),
        struct(repo = "vendor_ts__tree-sitter-ruby-0.23.1", is_dev_dep = False),
        struct(repo = "vendor_ts__triomphe-0.1.14", is_dev_dep = False),
        struct(repo = "vendor_ts__ungrammar-1.16.1", is_dev_dep = False),
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.49
+
+No user-facing changes.
+
 ## 1.0.48

 No user-facing changes.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Taus	b027ac3658	Merge pull request #21809 from github/tausbn/yeast-add-support-for-desugaring-phases Yeast: Two small improvements	2026-05-07 19:00:44 +02:00
Paolo Tranquilli	f9e42ac443	Merge pull request #21794 from github/post-release-prep/codeql-cli-2.25.4 Post-release preparation for codeql-cli-2.25.4	2026-05-07 14:43:24 +02:00
copilot-swe-agent[bot]	e0d663f79b	yeast: address review wording in phase docs Agent-Logs-Url: https://github.com/github/codeql/sessions/6d23db05-a6e9-4de4-8951-b465980fd0ef Co-authored-by: tausbn <1104778+tausbn@users.noreply.github.com>	2026-05-07 12:35:46 +00:00
Taus	33fc767782	Merge pull request #21797 from github/tausbn/yeast-desugaring-tool Shared: Add YEAST desugaring library	2026-05-07 13:48:12 +02:00
Taus	957c89b478	yeast: Support multi-phase desugaring via DesugaringConfig::add_phase Extend the desugaring config from a single flat list of rules to an ordered sequence of named Phases. Each phase runs to completion (a full traversal applying its rules) before the next phase starts. Rules in different phases never compete for matches. The config is built via the new chainable API: DesugaringConfig::new() .add_phase("cleanup", cleanup_rules) .add_phase("desugar", desugar_rules) .with_output_node_types_yaml(yaml); Single-phase configs are just .add_phase(...) called once. A single FreshScope is shared across phases so generated identifier names (e.g. $tmp-N) are unique throughout the run. Phase names appear in error messages, e.g. "Phase `desugar`: exceeded maximum rewrite depth". Add two regression tests: one verifying basic two-phase chained desugaring, and one verifying that errors include the failing phase name.	2026-05-06 21:17:31 +00:00
Taus	9a94836974	yeast: Add per-rule .repeated() flag to opt into iterative matching Previously, after a rule fired the engine would always re-try that same rule on the result root. A rule whose output matched its own query (intentionally or by accident) would loop until the global MAX_REWRITE_DEPTH safety net kicked in. Make the default behavior fire-once-per-node: after a rule fires on node N, the engine no longer tries that same rule on the result root. Other rules and child traversal are unaffected. Rules that intentionally rewrite iteratively can opt into the old behavior via the new Rule::repeated() builder method. Add two regression tests using a self-swapping assignment rule: - with .repeated(), the swap loops and trips the depth limit - without it (default), the swap fires once and terminates	2026-05-06 12:33:18 +00:00
Taus	a0a0e9e9a7	yeast: Add test for chained rules with output-only kinds Adds a regression test verifying that desugaring rules can chain across output-only node kinds: a first rule rewrites an input kind to an output-only kind, and a second rule then rewrites that output-only kind into another output-only kind. This exercises the schema lookup for query patterns whose root kind is not present in the input tree-sitter grammar.	2026-05-06 11:45:53 +00:00
Taus	60dcf88b50	yeast: Add Bazel build rules for yeast crates Add BUILD.bazel files for the yeast and yeast-macros crates, register them as dependencies of the shared tree-sitter extractor, and refresh the vendored crate dependencies via update_tree_sitter_extractors_deps.sh.	2026-05-06 11:34:09 +00:00
Taus	82bbdee832	yeast: Support separate output node types in extractor generator Language and LanguageSpec gain optional output_node_types field. When set, the generator produces dbscheme/QL from the output types and the extractor validates TRAP against them. All existing extractors pass None (no behavior change). Ruby extract() calls gain vec![] for the new rules parameter. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
Taus	9ad431dea1	yeast: Integrate yeast with shared tree-sitter extractor extract() gains a rules parameter. When empty, uses tree-sitter native traversal (no behavior change). When non-empty, runs yeast desugaring and extracts via traverse_yeast. Adds AstNode trait abstracting over tree_sitter::Node and yeast::Node, with minimal changes to existing Visitor methods (Node -> &N in 6 signatures). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
Taus	cc28ff9a48	yeast: Add yeast documentation Covers architecture, query language, template language (tree!/trees!/rule!), capture semantics, fresh identifiers, and extractor integration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
Taus	6e580446fd	yeast: Add yeast test suite 12 tests covering parsing, queries, tree building, desugaring rules, cursor navigation, and the shorthand rule! syntax. Tests use a custom output node-types.yml with named fields for all children (parameter, stmt, index), loaded via schema_from_yaml_with_language. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
Taus	4c5548363c	yeast: Add AST dumper for human-readable tree output Produces indented text showing node kinds, named fields, and leaf content. Unnamed tokens are hidden unless inside a named field. Used by tests for readable assertions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
Taus	8a9e53cc58	yeast: Add YAML node-types format and converter Human-friendly YAML alternative to tree-sitter node-types.json with three sections: supertypes, named, unnamed. Supports bidirectional conversion and building Schema objects from YAML. Includes CLI binary (node_types_yaml) and documentation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
Taus	04f587190e	yeast: AST desugaring framework with proc-macro DSL YEAST (YEAST Elaborates Abstract Syntax Trees) is a framework for transforming tree-sitter parse trees before CodeQL extraction. Core components: - shared/yeast/ — Ast, Node, Schema, query matching engine, captures, FreshScope, BuildCtx - shared/yeast-macros/ — proc macros: query!, tree!, trees!, rule! The query language is inspired by tree-sitter queries: (assignment left: (_) @lhs right: (_) @rhs) Templates support embedded Rust ({expr}), splicing ({..expr}), computed literals (#{expr}), and fresh identifiers ($name). The rule! macro combines query and transform: rule!((for pattern: (_) @pat ...) => (call receiver: {val} ...)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-06 11:34:09 +00:00
github-actions[bot]	7610277199	Post-release preparation for codeql-cli-2.25.4	2026-05-05 10:10:06 +00:00
Paolo Tranquilli	6a95251206	Merge pull request #21793 from github/release-prep/2.25.4 Release preparation for version 2.25.4	2026-05-05 11:39:13 +02:00
github-actions[bot]	88e1d86c27	Release preparation for version 2.25.4	2026-05-05 09:34:30 +00:00