Initial plan

2026-05-26 17:11:24 +02:00 · 2026-01-14 01:31:18 +00:00
532 changed files with 21460 additions and 114467 deletions
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -17,41 +17,9 @@ permissions:
  contents: read

 jobs:
-  detect-changes:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest
-    outputs:
-      languages: ${{ steps.detect.outputs.languages }}
-    steps:
-      - uses: actions/checkout@v5
-      - name: Detect changed languages
-        id: detect
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # For PRs, detect which languages have changes
-            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
-            languages=()
-            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
-              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
-                languages+=("$lang")
-              fi
-            done
-            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
-          else
-            # For pushes to main/rc branches, run all languages
-            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
-          fi
-        env:
-          GH_TOKEN: ${{ github.token }}
-
  compile-queries:
-    needs: detect-changes
-    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
+    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}

    steps:
      - uses: actions/checkout@v5
@@ -63,16 +31,16 @@ jobs:
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with: 
-          key: ${{ matrix.language }}-queries
+          key: all-queries
      - name: check formatting
-        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
      - name: compile queries - check-only
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
      - name: compile queries - full
        # do full compile if running on main - this populates the cache
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/actions/ql/examples/codeql-pack.lock.yml
+++ b/actions/ql/examples/codeql-pack.lock.yml
@@ -1,4 +0,0 @@
---
-lockVersion: 1.0.0
-dependencies: {}
-compiled: false
--- a/actions/ql/examples/qlpack.yml
+++ b/actions/ql/examples/qlpack.yml
@@ -1,7 +0,0 @@
-name: codeql/actions-examples
-groups:
-  - actions
-  - examples
-dependencies:
-  codeql/actions-all: ${workspace}
-warnOnImplicitThis: true
--- a/actions/ql/examples/snippets/uses_pinned_sha.ql
+++ b/actions/ql/examples/snippets/uses_pinned_sha.ql
@@ -1,12 +0,0 @@
-/**
- * @name Uses step with pinned SHA
- * @description Finds 'uses' steps where the version is a pinned SHA.
- * @id actions/examples/uses-pinned-sha
- * @tags example
- */
-
-import actions
-
-from UsesStep uses
-where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
-select uses, "This 'uses' step has a pinned SHA version."
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.4.26
-
-### Major Analysis Improvements
-
-* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
-
 ## 0.4.25

 No user-facing changes.
--- a/actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md
+++ b/actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md
@@ -1,5 +1,4 @@
-## 0.4.26
-
-### Major Analysis Improvements
-
+---
+category: majorAnalysis
+---
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.26
+lastReleaseVersion: 0.4.25
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.27-dev
+version: 0.4.26-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.6.18
-
-No user-facing changes.
-
 ## 0.6.17

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.18.md
+++ b/actions/ql/src/change-notes/released/0.6.18.md
@@ -1,3 +0,0 @@
-## 0.6.18
-
-No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.18
+lastReleaseVersion: 0.6.17
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.19-dev
+version: 0.6.18-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql
@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 394 <= kind and kind <= 396)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
@@ -1,4 +0,0 @@
-description: Add new builtin operations and this parameter access table
-compatibility: partial
-exprs.rel: run exprs.qlo
-param_ref_to_this.rel: delete
--- a/cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/old.dbscheme
+++ b/cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/old.dbscheme
--- a/cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/semmlecode.dbscheme
+++ b/cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/semmlecode.dbscheme
--- a/cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties
+++ b/cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties
@@ -1,2 +0,0 @@
-description: Sections for databaseMetadata and overlayChangedFiles
-compatibility: full
--- a/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/old.dbscheme
+++ b/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/old.dbscheme
--- a/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/preprocdirects.ql
+++ b/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/preprocdirects.ql
@@ -1,13 +0,0 @@
-class PreprocessorDirective extends @preprocdirect {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-from PreprocessorDirective ppd, int kind, int kind_new, Location l
-where
-  preprocdirects(ppd, kind, l) and
-  if kind = 17 then kind_new = /* ppd_warning */ 18 else kind_new = kind
-select ppd, kind_new, l
--- a/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/upgrade.properties
+++ b/cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/upgrade.properties
@@ -1,4 +0,0 @@
-description: Support embed preprocessor directive
-compatibility: partial
-embeds.rel: delete
-preprocdirects.rel: run preprocdirects.qlo
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
@@ -1,2 +0,0 @@
-description: Remove _Decimal{32,64,128} types
-compatibility: full
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,27 +1,3 @@
-## 7.0.0
-
-### Breaking Changes
-
-* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
-
-### Deprecated APIs
-
-* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
-
-### New Features
-
-* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
-* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
-* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
-
-### Minor Analysis Improvements
-
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
-
-### Bug Fixes
-
-* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
-
 ## 6.1.4

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2026-01-02-constant-folding.md
+++ b/cpp/ql/lib/change-notes/2026-01-02-constant-folding.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
--- a/cpp/ql/lib/change-notes/2026-01-19-embed.md
+++ b/cpp/ql/lib/change-notes/2026-01-19-embed.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added a subclass `Embed` of `PreprocessorDirective` for C23 and C++26 `#embed` preprocessor directives.
--- a/cpp/ql/lib/change-notes/released/7.0.0.md
+++ b/cpp/ql/lib/change-notes/released/7.0.0.md
@@ -1,23 +0,0 @@
-## 7.0.0
-
-### Breaking Changes
-
-* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
-
-### Deprecated APIs
-
-* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
-
-### New Features
-
-* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
-* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
-* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
-
-### Minor Analysis Improvements
-
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
-
-### Bug Fixes
-
-* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.0
+lastReleaseVersion: 6.1.4
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 7.0.1-dev
+version: 6.1.5-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Preprocessor.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Preprocessor.qll
@@ -328,27 +328,3 @@ class PreprocessorPragma extends PreprocessorDirective, @ppd_pragma {
 class PreprocessorLine extends PreprocessorDirective, @ppd_line {
  override string toString() { result = "#line " + this.getHead() }
 }
-
-/**
- * A C23 or C++26 `#embed` preprocessor directive. For example, the following code
- * contains one `Embed` directive:
- * ```cpp
- * char arr[] = {
- * #embed "bin"
- * };
- * ```
- */
-class Embed extends PreprocessorDirective, @ppd_embed {
-  override string toString() { result = "#embed " + this.getIncludeText() }
-
-  /**
-   * Gets the token which occurs after `#embed`, for example `"filename"`
-   * or `<filename>`.
-   */
-  string getIncludeText() { result = this.getHead() }
-
-  /**
-   * Gets the file directly embedded by this `#embed`.
-   */
-  File getEmbeddedFile() { embeds(underlyingElement(this), unresolveElement(result)) }
-}
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -1050,10 +1050,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    expr.(Call).getQualifier() = ele and
    pred = "getQualifier()"
    or
-    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/1 also consider arguments, and are already handled below.
+    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/0 also consider arguments, and are already handled below.
    exists(int n, Expr arg | expr.(Call).getArgument(n) = arg |
      not expr.(OverloadedArrayExpr).getArrayBase() = arg and
-      not expr.(OverloadedArrayExpr).getAnArrayOffset() = arg and
+      not expr.(OverloadedArrayExpr).getArrayOffset() = arg and
      arg = ele and
      pred = "getArgument(" + n.toString() + ")"
    )
@@ -1062,10 +1062,7 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    or
    expr.(OverloadedArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
    or
-    exists(int n |
-      expr.(OverloadedArrayExpr).getArrayOffset(n) = ele and
-      pred = "getArrayOffset(" + n.toString() + ")"
-    )
+    expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
    or
    // OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, and is already handled above for all Call classes.
    not expr.(OverloadedPointerDereferenceExpr).getQualifier() =
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -802,6 +802,15 @@ private predicate floatingPointTypeMapping(
  // _Complex __float128
  kind = 39 and base = 2 and domain = TComplexDomain() and realKind = 38 and extended = false
  or
+  // _Decimal32
+  kind = 40 and base = 10 and domain = TRealDomain() and realKind = 40 and extended = false
+  or
+  // _Decimal64
+  kind = 41 and base = 10 and domain = TRealDomain() and realKind = 41 and extended = false
+  or
+  // _Decimal128
+  kind = 42 and base = 10 and domain = TRealDomain() and realKind = 42 and extended = false
+  or
  // _Float32
  kind = 45 and base = 2 and domain = TRealDomain() and realKind = 45 and extended = false
  or
@@ -862,8 +871,9 @@ private predicate floatingPointTypeMapping(

 /**
 * The C/C++ floating point types. See 4.5.  This includes `float`, `double` and `long double`, the
- * fixed-size floating-point types like `_Float32`, and the extended-precision floating-point types
- * like `_Float64x`. It also includes the complex and imaginary versions of all of these types.
+ * fixed-size floating-point types like `_Float32`, the extended-precision floating-point types like
+ * `_Float64x`, and the decimal floating-point types like `_Decimal32`. It also includes the complex
+ * and imaginary versions of all of these types.
 */
 class FloatingPointType extends ArithmeticType {
  final int base;
@@ -981,6 +991,42 @@ class Float128Type extends RealNumberType, BinaryFloatingPointType {
  override string getAPrimaryQlClass() { result = "Float128Type" }
 }

+/**
+ * The GNU C `_Decimal32` primitive type.  This is not standard C/C++.
+ * ```
+ * _Decimal32 d32;
+ * ```
+ */
+class Decimal32Type extends RealNumberType, DecimalFloatingPointType {
+  Decimal32Type() { builtintypes(underlyingElement(this), _, 40, _, _, _) }
+
+  override string getAPrimaryQlClass() { result = "Decimal32Type" }
+}
+
+/**
+ * The GNU C `_Decimal64` primitive type.  This is not standard C/C++.
+ * ```
+ * _Decimal64 d64;
+ * ```
+ */
+class Decimal64Type extends RealNumberType, DecimalFloatingPointType {
+  Decimal64Type() { builtintypes(underlyingElement(this), _, 41, _, _, _) }
+
+  override string getAPrimaryQlClass() { result = "Decimal64Type" }
+}
+
+/**
+ * The GNU C `_Decimal128` primitive type.  This is not standard C/C++.
+ * ```
+ * _Decimal128 d128;
+ * ```
+ */
+class Decimal128Type extends RealNumberType, DecimalFloatingPointType {
+  Decimal128Type() { builtintypes(underlyingElement(this), _, 42, _, _, _) }
+
+  override string getAPrimaryQlClass() { result = "Decimal128Type" }
+}
+
 /**
 * The C/C++ `void` type. See 4.7.
 * ```
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
@@ -394,11 +394,6 @@ class FunctionAccess extends Access, @routineexpr {
 */
 class ParamAccessForType extends Expr, @param_ref {
  override string toString() { result = "param access" }
-
-  /**
-   * Holds if the accessed parameter is implicit object parameter of the function.
-   */
-  predicate isThisAccess() { param_ref_to_this(underlyingElement(this)) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
@@ -1941,61 +1941,3 @@ class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istrivia

  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
 }
-
-/**
- * A C++ `__is_bitwise_cloneable` built-in operation.
- *
- * Returns `true` if an object of type `_Tp` is bitwise cloneable.
- *
- * ```
- * template<typename _Tp>
- *   struct is_bitwise_cloneable
- *   : public integral_constant<bool, __is_bitwise_cloneable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsBitwiseCloneable extends BuiltInOperation, @isbitwisecloneable {
-  override string toString() { result = "__is_bitwise_cloneable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBitwiseCloneable" }
-}
-
-/**
- * A C++ `__is_invocable` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a function of type `_FTpn` can be invoked with arguments of
- * type `_Tps`.
- *
- * ```
- * template<typename _FTpn, typename... _Tps>
- *   struct is_invocable
- *   : public integral_constant<bool, __is_invocable(_FTpn, _Tps...)>
- *   {};
- * ```
- */
-class BuiltInOperationIsInvocable extends BuiltInOperation, @isinvocable {
-  override string toString() { result = "__is_invocable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsInvocable" }
-}
-
-/**
- * A C++ `__is_nothrow_invocable` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a function of non-throwing type `_FTpn` can be invoked
- * with arguments of type `_Tps`.
- *
- * ```
- * template<typename _FTpn, typename... _Tps>
- *   struct is_nothrow_invocable
- *   : public integral_constant<bool, __is_nothrow_invocable(_FTpn, _Tps...)>
- *   {};
- * ```
- */
-class BuiltInOperationIsNothrowInvocable extends BuiltInOperation, @isnothrowinvocable {
-  override string toString() { result = "__is_nothrow_invocable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowInvocable" }
-}
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
@@ -387,23 +387,10 @@ class OverloadedArrayExpr extends FunctionCall {

  /**
   * Gets the expression giving the index.
-   *
-   * DEPRECATED: Use getArrayOffset/1 instead.
   */
-  deprecated Expr getArrayOffset() { result = this.getArrayOffset(0) }
-
-  /**
-   * Gets the expression giving the nth index.
-   */
-  Expr getArrayOffset(int n) {
-    n >= 0 and
-    if exists(this.getQualifier()) then result = this.getChild(n) else result = this.getChild(n + 1)
+  Expr getArrayOffset() {
+    if exists(this.getQualifier()) then result = this.getChild(0) else result = this.getChild(1)
  }
-
-  /**
-   * Gets an expression giving an index.
-   */
-  Expr getAnArrayOffset() { result = this.getArrayOffset(_) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll
@@ -21,7 +21,7 @@ private string getLocationFilePath(@location_default loc) {
 * Gets the file path for an element with a single location.
 */
 overlay[local]
-string getSingleLocationFilePath(@element e) {
+private string getSingleLocationFilePath(@element e) {
  exists(@location_default loc |
    var_decls(e, _, _, _, loc)
    or
@@ -34,38 +34,6 @@ string getSingleLocationFilePath(@element e) {
    macroinvocations(e, _, loc, _)
    or
    preprocdirects(e, _, loc)
-    or
-    diagnostics(e, _, _, _, _, loc)
-    or
-    usings(e, _, loc, _)
-    or
-    static_asserts(e, _, _, loc, _)
-    or
-    derivations(e, _, _, _, loc)
-    or
-    frienddecls(e, _, _, loc)
-    or
-    comments(e, _, loc)
-    or
-    exprs(e, _, loc)
-    or
-    stmts(e, _, loc)
-    or
-    initialisers(e, _, _, loc)
-    or
-    attributes(e, _, _, _, loc)
-    or
-    attribute_args(e, _, _, _, loc)
-    or
-    namequalifiers(e, _, _, loc)
-    or
-    enumconstants(e, _, _, _, _, loc)
-    or
-    type_mentions(e, _, loc, _)
-    or
-    lambda_capture(e, _, _, _, _, _, loc)
-    or
-    concept_templates(e, _, loc)
  |
    result = getLocationFilePath(loc)
  )
@@ -75,7 +43,7 @@ string getSingleLocationFilePath(@element e) {
 * Gets the file path for an element with potentially multiple locations.
 */
 overlay[local]
-string getMultiLocationFilePath(@element e) {
+private string getMultiLocationFilePath(@element e) {
  exists(@location_default loc |
    exists(@var_decl vd | var_decls(vd, e, _, _, loc))
    or
--- a/cpp/ql/lib/semmle/code/cpp/internal/OverlayDiscardConsistencyQuery.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/OverlayDiscardConsistencyQuery.qll
@@ -1,64 +0,0 @@
-/**
- * Provides consistency queries for checking that every database entity
- * that can be discarded (i.e. everything but `@compilation` and some external
- * entities) in an overlay database is indeed discarded.
- *
- * This validates that Overlay.qll's `getSingleLocationFilePath` and
- * `getMultiLocationFilePath` predicates cover all entity types.
- */
-
-import cpp
-private import Overlay
-
-/**
- * Holds if `element` is not covered by the discard predicates in Overlay.qll.
- *
- * This query is intended to flag cases where new entity types are added
- * to the dbscheme but the corresponding discard predicate is not updated.
- *
- * An element is considered covered if it has a path via either
- * `getSingleLocationFilePath` or `getMultiLocationFilePath`.
- */
-query predicate consistencyTest(Element element, string message) {
-  (
-    // Check that every @element has a path via the discard predicates
-    not exists(getSingleLocationFilePath(element)) and
-    not exists(getMultiLocationFilePath(element)) and
-    // Exclude global/synthetic entities that don't need to be discarded
-    not element instanceof @specifier and
-    not element instanceof @builtintype and
-    not element instanceof @derivedtype and
-    not element instanceof @routinetype and
-    not element instanceof @ptrtomember and
-    not element instanceof @decltype and
-    not element instanceof @type_operator and
-    not element instanceof @specialnamequalifyingelement and
-    // Exclude files/folders (handled separately by overlay infrastructure)
-    not element instanceof @file and
-    not element instanceof @folder and
-    // Exclude XML entities (not C++ code)
-    not element instanceof @xmllocatable and
-    // Exclude compiler diagnostics (metadata, not source entities)
-    not element instanceof @diagnostic and
-    // Exclude usertypes without declarations (compiler built-ins like 'auto', '__va_list')
-    not (element instanceof @usertype and not exists(@type_decl td | type_decls(td, element, _))) and
-    // Exclude namespaces without declarations (global namespace)
-    not (
-      element instanceof @namespace and
-      not exists(@namespace_decl nd | namespace_decls(nd, element, _, _))
-    ) and
-    // Exclude functions without declarations (compiler-generated like implicit operator=)
-    not (
-      element instanceof @function and not exists(@fun_decl fd | fun_decls(fd, element, _, _, _))
-    ) and
-    // Exclude variables without declarations (parameters of compiler-generated functions)
-    not (
-      element instanceof @variable and not exists(@var_decl vd | var_decls(vd, element, _, _, _))
-    ) and
-    exists(Location loc | loc = element.getLocation() |
-      message =
-        element.getPrimaryQlClasses() + " at " + loc.getFile().getRelativePath() + ":" +
-          loc.getStartLine().toString() + " not covered by discard predicates"
-    )
-  )
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -156,7 +156,7 @@ class Node extends TIRDataFlowNode {
   * If `isGLValue()` holds, then the type of this node
   * should be thought of as "pointer to `getType()`".
   */
-  Type getType() { none() } // overridden in subclasses
+  DataFlowType getType() { none() } // overridden in subclasses

  /** Gets the instruction corresponding to this node, if any. */
  Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -541,7 +541,7 @@ class Node extends TIRDataFlowNode {
  /**
   * Gets an upper bound on the type of this node.
   */
-  Type getTypeBound() { result = this.getType() }
+  DataFlowType getTypeBound() { result = this.getType() }

  /** Gets the location of this element. */
  cached
@@ -585,7 +585,7 @@ private class Node0 extends Node, TNode0 {

  override string toStringImpl() { result = node.toString() }

-  override Type getType() { result = node.getType() }
+  override DataFlowType getType() { result = node.getType() }

  override predicate isGLValue() { node.isGLValue() }
 }
@@ -704,7 +704,7 @@ class SsaSynthNode extends Node, TSsaSynthNode {

  override Declaration getFunction() { result = node.getBasicBlock().getEnclosingFunction() }

-  override Type getType() { result = node.getSourceVariable().getType() }
+  override DataFlowType getType() { result = node.getSourceVariable().getType() }

  override predicate isGLValue() { node.getSourceVariable().isGLValue() }

@@ -732,7 +732,7 @@ class SsaIteratorNode extends Node, TSsaIteratorNode {

  override Declaration getFunction() { result = node.getFunction() }

-  override Type getType() { result = node.getType() }
+  override DataFlowType getType() { result = node.getType() }

  final override Location getLocationImpl() { result = node.getLocation() }

@@ -792,7 +792,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {

  override Declaration getFunction() { result = globalUse.getIRFunction().getFunction() }

-  override Type getType() {
+  override DataFlowType getType() {
    exists(int indirectionIndex |
      indirectionIndex = globalUse.getIndirectionIndex() and
      result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex)
@@ -826,7 +826,7 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {

  final override predicate isGLValue() { globalDef.getIndirectionIndex() = 0 }

-  override Type getType() { result = globalDef.getUnderlyingType() }
+  override DataFlowType getType() { result = globalDef.getUnderlyingType() }

  final override Location getLocationImpl() { result = globalDef.getLocation() }

@@ -853,7 +853,7 @@ class BodyLessParameterNodeImpl extends Node, TBodyLessParameterNodeImpl {
  /** Gets the indirection index of this node. */
  int getIndirectionIndex() { result = indirectionIndex }

-  override Type getType() {
+  override DataFlowType getType() {
    result = getTypeImpl(p.getUnderlyingType(), this.getIndirectionIndex())
  }

@@ -1117,8 +1117,8 @@ private module RawIndirectNodes {

    override predicate isGLValue() { this.getOperand().isGLValue() }

-    override Type getType() {
-      exists(int sub, Type type, boolean isGLValue |
+    override DataFlowType getType() {
+      exists(int sub, DataFlowType type, boolean isGLValue |
        type = getOperandType(this.getOperand(), isGLValue) and
        if isGLValue = true then sub = 1 else sub = 0
      |
@@ -1163,8 +1163,8 @@ private module RawIndirectNodes {

    override predicate isGLValue() { this.getInstruction().isGLValue() }

-    override Type getType() {
-      exists(int sub, Type type, boolean isGLValue |
+    override DataFlowType getType() {
+      exists(int sub, DataFlowType type, boolean isGLValue |
        type = getInstructionType(this.getInstruction(), isGLValue) and
        if isGLValue = true then sub = 1 else sub = 0
      |
@@ -1263,7 +1263,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
    result.asSourceCallable() = this.getFunction()
  }

-  override Type getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
+  override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }

  final override Location getLocationImpl() {
    // Parameters can have multiple locations. When there's a unique location we use
@@ -1539,7 +1539,7 @@ abstract class PostUpdateNode extends Node {
   */
  abstract Node getPreUpdateNode();

-  final override Type getType() { result = this.getPreUpdateNode().getType() }
+  final override DataFlowType getType() { result = this.getPreUpdateNode().getType() }
 }

 /**
@@ -1632,7 +1632,9 @@ class VariableNode extends Node, TGlobalLikeVariableNode {
    result.asSourceCallable() = v
  }

-  override Type getType() { result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1) }
+  override DataFlowType getType() {
+    result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1)
+  }

  final override Location getLocationImpl() {
    // Certain variables (such as parameters) can have multiple locations.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
@@ -53,7 +53,7 @@ private module SourceVariables {
     * the type of this source variable should be thought of as "pointer
     * to `getType()`".
     */
-    Type getType() {
+    DataFlowType getType() {
      if this.isGLValue()
      then result = base.getType()
      else result = getTypeImpl(base.getType(), ind - 1)
@@ -1064,15 +1064,8 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, IRGuards::GuardValue val,
    int indirectionIndex
  ) {
-    exists(Instruction e |
-      IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecks(g,
-        e, val, indirectionIndex)
-    |
-      indirectionIndex = 0 and
-      def.(Definition).getAUse().getDef() = e
-      or
-      def.(Definition).getAnIndirectUse(indirectionIndex).getDef() = e
-    )
+    IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecksDef(g,
+      def, val, indirectionIndex)
  }

  Node getABarrierNode(int indirectionIndex) {
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -617,9 +617,9 @@ case @builtintype.kind of
 | 37 = @signed_int128         // signed __int128
 | 38 = @float128              // __float128
 | 39 = @complex_float128      // _Complex __float128
-// ... 40 _Decimal32
-// ... 41 _Decimal64
-// ... 42 _Decimal128
+| 40 = @decimal32             // _Decimal32
+| 41 = @decimal64             // _Decimal64
+| 42 = @decimal128            // _Decimal128
 | 43 = @char16_t
 | 44 = @char32_t
 | 45 = @std_float32           // _Float32
@@ -1902,9 +1902,6 @@ case @expr.kind of
 | 391 = @nested_requirement
 | 392 = @compound_requirement
 | 393 = @concept_id
-| 394 = @isinvocable
-| 395 = @isnothrowinvocable
-| 396 = @isbitwisecloneable
 ;

@var_args_expr = @vastartexpr
@@ -2021,9 +2018,6 @@ case @expr.kind of
            | @istriviallyequalitycomparable
            | @isscopedenum
            | @istriviallyrelocatable
-            | @isinvocable
-            | @isnothrowinvocable
-            | @isbitwisecloneable
            ;

 compound_requirement_is_noexcept(
@@ -2040,10 +2034,6 @@ new_array_allocated_type(
    int type_id: @type ref
 );

-param_ref_to_this(
-    int expr: @param_ref ref
-)
-
 /**
 * The field being initialized by an initializer expression within an aggregate
 * initializer for a class/struct/union. Position is used to sort repeated initializers.
@@ -2353,7 +2343,6 @@ case @preprocdirect.kind of
 | 14 = @ppd_ms_import
 | 15 = @ppd_elifdef
 | 16 = @ppd_elifndef
-| 17 = @ppd_embed
 | 18 = @ppd_warning
 ;

@@ -2380,11 +2369,6 @@ includes(
    int included: @file ref
 );

-embeds(
-    unique int id: @ppd_embed ref,
-    int included: @file ref
-);
-
 link_targets(
    int id: @link_target,
    int binary: @file ref
@@ -2395,8 +2379,6 @@ link_parent(
    int link_target : @link_target ref
 );

-/*- Database metadata -*/
-
 /**
 * The CLI will automatically emit applicable tuples for this table,
 * such as `databaseMetadata("isOverlay", "true")` when building an
@@ -2407,8 +2389,6 @@ databaseMetadata(
  string value: string ref
 );

-/*- Overlay support -*/
-
 /**
 * The CLI will automatically emit tuples for each new/modified/deleted file
 * when building an overlay database.
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
+++ b/cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
--- a/cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
+++ b/cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
@@ -1,2 +0,0 @@
-description: Sections for databaseMetadata and overlayChangedFiles
-compatibility: full
--- a/cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/old.dbscheme
+++ b/cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/old.dbscheme
--- a/cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties
+++ b/cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties
@@ -1,2 +0,0 @@
-description: Support embed preprocessor directive
-compatibility: partial
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql
@@ -1,11 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-predicate isDecimalBuiltinType(BuiltinType type) { builtintypes(type, _, [40, 41, 42], _, _, _) }
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if isDecimalBuiltinType(type) then kind_new = 1 else kind_new = kind
-select type, name, kind_new, size, sign, alignment
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/old.dbscheme
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/old.dbscheme
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties
@@ -1,3 +0,0 @@
-description: Remove _Decimal{32,64,128} types
-compatibility: partial
-builtintypes.rel: run builtintypes.qlo
--- a/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
+++ b/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
--- a/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
+++ b/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
@@ -1,2 +0,0 @@
-description: Add new builtin operations and this parameter access table
-compatibility: backwards
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 1.5.9
-
-### Minor Analysis Improvements
-
-* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
-
 ## 1.5.8

 No user-facing changes.
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -122,8 +122,7 @@ module Config implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) {
    // Block flow if the node is guarded by any <, <= or = operations.
-    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode() or
-    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getAnIndirectBarrierNode()
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
  }

  predicate observeDiffInformedIncrementalMode() { any() }
--- a/cpp/ql/src/change-notes/2026-01-02-constant-comparison.md
+++ b/cpp/ql/src/change-notes/2026-01-02-constant-comparison.md
@@ -1,5 +1,4 @@
-## 1.5.9
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.9
+lastReleaseVersion: 1.5.8
--- a/cpp/ql/src/jsf/lib/section_4_21_Operators/AV_Rule_166.qll
+++ b/cpp/ql/src/jsf/lib/section_4_21_Operators/AV_Rule_166.qll
@@ -13,7 +13,7 @@ class SizeofImpureExprOperator extends SizeofExprOperator {
      not e.(OverloadedPointerDereferenceExpr).getExpr().isPure() and
      not exists(OverloadedArrayExpr op | op = e |
        op.getArrayBase().isPure() and
-        forall(Expr offset | offset = op.getAnArrayOffset() | offset.isPure())
+        op.getArrayOffset().isPure()
      )
    )
  }
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.10-dev
+version: 1.5.9-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -78,7 +78,7 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
 {
  private module DataFlow = Df::DataFlow;

-  class Type = Cpp::Type;
+  class Type = DataFlowPrivate::DataFlowType;

  // Note: This also includes `this`
  class Parameter = DataFlow::ParameterNode;
--- a/cpp/ql/test/library-tests/builtins/type_traits/clang.cpp
+++ b/cpp/ql/test/library-tests/builtins/type_traits/clang.cpp
@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --clang_version 210000
+// semmle-extractor-options: --clang --clang_version 190000

 struct S {
    void f() {}
@@ -121,11 +121,3 @@ bool b_is_scoped_enum2 = __is_scoped_enum(int);

 bool b_is_trivially_relocatable1 = __is_trivially_relocatable(int);
 bool b_is_trivially_relocatable2 = __is_trivially_relocatable(void);
-
-struct S3{
-    S3(S3 &);
-    S3& operator=(S3&);
-};
-
-bool bok_is_bitwise_cloneable1 = __is_bitwise_cloneable(int);
-bool bok_is_bitwise_cloneable2 = __is_bitwise_cloneable(S3);
--- a/cpp/ql/test/library-tests/builtins/type_traits/expr.expected
+++ b/cpp/ql/test/library-tests/builtins/type_traits/expr.expected
@@ -165,10 +165,6 @@
 | clang.cpp:122:36:122:66 | int |  | <none> |
 | clang.cpp:123:36:123:67 | __is_trivially_relocatable | void | 0 |
 | clang.cpp:123:36:123:67 | void |  | <none> |
-| clang.cpp:130:34:130:60 | __is_bitwise_cloneable | int | 1 |
-| clang.cpp:130:34:130:60 | int |  | <none> |
-| clang.cpp:131:34:131:59 | S3 |  | <none> |
-| clang.cpp:131:34:131:59 | __is_bitwise_cloneable | S3 | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 1 |  | 1 |
@@ -215,16 +211,6 @@
 | gcc.cpp:29:45:29:93 | __reference_converts_from_temporary | int &&,int && | 0 |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
-| gcc.cpp:33:24:33:45 | __is_invocable | f_type | 1 |
-| gcc.cpp:33:24:33:45 | f_type |  | <none> |
-| gcc.cpp:34:24:34:51 | __is_invocable | f_type,bool | 0 |
-| gcc.cpp:34:24:34:51 | bool |  | <none> |
-| gcc.cpp:34:24:34:51 | f_type |  | <none> |
-| gcc.cpp:36:32:36:61 | __is_nothrow_invocable | f_type | 1 |
-| gcc.cpp:36:32:36:61 | f_type |  | <none> |
-| gcc.cpp:37:32:37:67 | __is_nothrow_invocable | f_type,bool | 0 |
-| gcc.cpp:37:32:37:67 | bool |  | <none> |
-| gcc.cpp:37:32:37:67 | f_type |  | <none> |
 | ms.cpp:38:41:38:45 | 0 |  | 0 |
 | ms.cpp:88:27:88:45 | __has_assign | empty | 0 |
 | ms.cpp:88:27:88:45 | empty |  | <none> |
--- a/cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp
+++ b/cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp
@@ -1,4 +1,4 @@
-// semmle-extractor-options: --gnu_version 150000
+// semmle-extractor-options: --gnu_version 130000

 __attribute__ ((aligned(8))) int v;
 bool b_has_attribute1 = __builtin_has_attribute(v, aligned);
@@ -27,11 +27,3 @@ bool b_reference_constructs_from_temporary2 = __reference_constructs_from_tempor

 bool b_reference_converts_from_temporary1 = __reference_converts_from_temporary(int&&, int);
 bool b_reference_converts_from_temporary2 = __reference_converts_from_temporary(int&&, int&&);
-
-using f_type = void(*)() noexcept;
-
-bool b_is_invocable1 = __is_invocable(f_type);
-bool b_is_invocable2 = __is_invocable(f_type, bool);
-
-bool b_is_nothrow_invocable1 = __is_nothrow_invocable(f_type);
-bool b_is_nothrow_invocable2 = __is_nothrow_invocable(f_type, bool);
--- a/cpp/ql/test/library-tests/builtins/types/types.c
+++ b/cpp/ql/test/library-tests/builtins/types/types.c
@@ -0,0 +1,5 @@
+
+_Decimal32 d32;
+_Decimal64 d64;
+_Decimal128 d128;
+
--- a/cpp/ql/test/library-tests/builtins/types/types.expected
+++ b/cpp/ql/test/library-tests/builtins/types/types.expected
@@ -0,0 +1,7 @@
+| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int |
+| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int |
+| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * |
+| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * |
+| types.c:2:12:2:14 | d32 | file://:0:0:0:0 | _Decimal32 |
+| types.c:3:12:3:14 | d64 | file://:0:0:0:0 | _Decimal64 |
+| types.c:4:13:4:16 | d128 | file://:0:0:0:0 | _Decimal128 |
--- a/cpp/ql/test/library-tests/builtins/types/types.ql
+++ b/cpp/ql/test/library-tests/builtins/types/types.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable v, Type t
+where t = v.getType()
+select v, t
--- a/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.cpp
@@ -4,12 +4,6 @@ void sink(int);

 void testCheckArgument(int* p) {
  if (checkArgument(p)) {
-    sink(*p); // $ indirect_barrier=int barrier=int*
-  }
-}
-
-void testCheckArgument(int p) {
-  if (checkArgument(&p)) {
-    sink(p); // $ barrier=glval<int> indirect_barrier=int
+    sink(*p); // $ barrier barrier=1
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql
+++ b/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql
@@ -13,33 +13,26 @@ predicate instructionGuardChecks(IRGuardCondition gc, Instruction checked, boole

 module BarrierGuard = DataFlow::InstructionBarrierGuard<instructionGuardChecks/3>;

-predicate indirectBarrierGuard(DataFlow::Node node, string s) {
-  node = BarrierGuard::getAnIndirectBarrierNode(_) and
-  if node.isGLValue()
-  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
-  else s = node.getType().toString().replaceAll(" ", "")
+predicate indirectBarrierGuard(DataFlow::Node node, int indirectionIndex) {
+  node = BarrierGuard::getAnIndirectBarrierNode(indirectionIndex)
 }

-predicate barrierGuard(DataFlow::Node node, string s) {
-  node = BarrierGuard::getABarrierNode() and
-  if node.isGLValue()
-  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
-  else s = node.getType().toString().replaceAll(" ", "")
-}
+predicate barrierGuard(DataFlow::Node node) { node = BarrierGuard::getABarrierNode() }

 module Test implements TestSig {
-  string getARelevantTag() { result = ["barrier", "indirect_barrier"] }
+  string getARelevantTag() { result = "barrier" }

  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node node, string s |
-      indirectBarrierGuard(node, s) and
-      value = s and
-      tag = "indirect_barrier"
+    exists(DataFlow::Node node |
+      barrierGuard(node) and
+      value = ""
      or
-      barrierGuard(node, s) and
-      value = s and
-      tag = "barrier"
+      exists(int indirectionIndex |
+        indirectBarrierGuard(node, indirectionIndex) and
+        value = indirectionIndex.toString()
+      )
    |
+      tag = "barrier" and
      element = node.toString() and
      location = node.getLocation()
    )
--- a/cpp/ql/test/library-tests/friends/loop/friends.expected
+++ b/cpp/ql/test/library-tests/friends/loop/friends.expected
@@ -1,14 +1,9 @@
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -24309,7 +24309,7 @@ ir.cpp:
 # 2727|         getArrayBase(): [VariableAccess] x
 # 2727|             Type = [SpecifiedType] const WithBracketOperator
 # 2727|             ValueCategory = lvalue
-# 2727|         getArrayOffset(0): [VariableAccess] i
+# 2727|         getArrayOffset(): [VariableAccess] i
 # 2727|             Type = [IntType] int
 # 2727|             ValueCategory = prvalue(load)
 # 2727|       getExpr().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
--- a/cpp/ql/test/library-tests/literals/literals/literals.c
+++ b/cpp/ql/test/library-tests/literals/literals/literals.c
@@ -1,4 +1,6 @@

+double dd = 1.0d;
+double dD = 1.0D;
 double df = 1.0f;
 double dF = 1.0F;
 double di = 1.0i;
--- a/cpp/ql/test/library-tests/literals/literals/literals.expected
+++ b/cpp/ql/test/library-tests/literals/literals/literals.expected
@@ -1,12 +1,14 @@
 | literals.c:2:13:2:16 | 1.0 |
 | literals.c:3:13:3:16 | 1.0 |
-| literals.c:4:13:4:16 | (0.0,1.0i) |
-| literals.c:5:13:5:16 | (0.0,1.0i) |
+| literals.c:4:13:4:16 | 1.0 |
+| literals.c:5:13:5:16 | 1.0 |
 | literals.c:6:13:6:16 | (0.0,1.0i) |
 | literals.c:7:13:7:16 | (0.0,1.0i) |
-| literals.c:8:13:8:16 | 1.0 |
-| literals.c:9:13:9:16 | 1.0 |
+| literals.c:8:13:8:16 | (0.0,1.0i) |
+| literals.c:9:13:9:16 | (0.0,1.0i) |
 | literals.c:10:13:10:16 | 1.0 |
 | literals.c:11:13:11:16 | 1.0 |
 | literals.c:12:13:12:16 | 1.0 |
 | literals.c:13:13:13:16 | 1.0 |
+| literals.c:14:13:14:16 | 1.0 |
+| literals.c:15:13:15:16 | 1.0 |
--- a/cpp/ql/test/library-tests/subscript_operator/PrintAST.expected
+++ b/cpp/ql/test/library-tests/subscript_operator/PrintAST.expected
@@ -1,69 +0,0 @@
-#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
-#-----|   <params>: 
-#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
-#-----|         Type = [LValueReferenceType] const __va_list_tag &
-#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
-#-----|   <params>: 
-#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
-#-----|         Type = [RValueReferenceType] __va_list_tag &&
-test.cpp:
-#    3| [CopyAssignmentOperator] S& S::operator=(S const&)
-#    3|   <params>: 
-#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
-#-----|         Type = [LValueReferenceType] const S &
-#    3| [MoveAssignmentOperator] S& S::operator=(S&&)
-#    3|   <params>: 
-#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
-#-----|         Type = [RValueReferenceType] S &&
-#    5| [MemberFunction] int S::operator[](int, int)
-#    5|   <params>: 
-#    5|     getParameter(0): [Parameter] i
-#    5|         Type = [IntType] int
-#    5|     getParameter(1): [Parameter] j
-#    5|         Type = [IntType] int
-#    5|   getEntryPoint(): [BlockStmt] { ... }
-#    6|     getStmt(0): [ReturnStmt] return ...
-#    6|       getExpr(): [ArrayExpr] access to array
-#    6|           Type = [IntType] int
-#    6|           ValueCategory = prvalue(load)
-#    6|         getArrayBase(): [ArrayExpr] access to array
-#    6|             Type = [ArrayType] int[2]
-#    6|             ValueCategory = lvalue
-#    6|           getArrayBase(): [ImplicitThisFieldAccess,PointerFieldAccess] xs
-#    6|               Type = [ArrayType] int[2][2]
-#    6|               ValueCategory = lvalue
-#    6|             getQualifier(): [ThisExpr] this
-#    6|                 Type = [PointerType] S *
-#    6|                 ValueCategory = prvalue(load)
-#    6|           getArrayOffset(): [VariableAccess] i
-#    6|               Type = [IntType] int
-#    6|               ValueCategory = prvalue(load)
-#-----|           getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
-#-----|               Type = [PointerType] int(*)[2]
-#-----|               ValueCategory = prvalue
-#    6|         getArrayOffset(): [VariableAccess] j
-#    6|             Type = [IntType] int
-#    6|             ValueCategory = prvalue(load)
-#    6|         getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
-#    6|             Type = [IntPointerType] int *
-#    6|             ValueCategory = prvalue
-#   10| [TopLevelFunction] int foo(S)
-#   10|   <params>: 
-#   10|     getParameter(0): [Parameter] s
-#   10|         Type = [Struct] S
-#   10|   getEntryPoint(): [BlockStmt] { ... }
-#   11|     getStmt(0): [ReturnStmt] return ...
-#   11|       getExpr(): [OverloadedArrayExpr] call to operator[]
-#   11|           Type = [IntType] int
-#   11|           ValueCategory = prvalue
-#   11|         getArrayBase(): [VariableAccess] s
-#   11|             Type = [Struct] S
-#   11|             ValueCategory = lvalue
-#   11|         getArrayOffset(0): [Literal] 1
-#   11|             Type = [IntType] int
-#   11|             Value = [Literal] 1
-#   11|             ValueCategory = prvalue
-#   11|         getArrayOffset(1): [Literal] 2
-#   11|             Type = [IntType] int
-#   11|             Value = [Literal] 2
-#   11|             ValueCategory = prvalue
--- a/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref
+++ b/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref
@@ -1 +0,0 @@
-semmle/code/cpp/PrintAST.ql
--- a/cpp/ql/test/library-tests/subscript_operator/test.cpp
+++ b/cpp/ql/test/library-tests/subscript_operator/test.cpp
@@ -1,12 +0,0 @@
-// semmle-extractor-options: -std=c++23
-
-struct S {
-    int xs[2][2];
-    int operator[](int i, int j) {
-        return xs[i][j];
-    }
-};
-
-int foo(S s) {
-    return s[1, 2];
-}
--- a/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
+++ b/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
@@ -12,6 +12,9 @@
 | file://:0:0:0:0 | _Complex float |
 | file://:0:0:0:0 | _Complex long double |
 | file://:0:0:0:0 | _Complex std::float16_t |
+| file://:0:0:0:0 | _Decimal32 |
+| file://:0:0:0:0 | _Decimal64 |
+| file://:0:0:0:0 | _Decimal128 |
 | file://:0:0:0:0 | _Float16 |
 | file://:0:0:0:0 | _Float32 |
 | file://:0:0:0:0 | _Float32x |
--- a/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
+++ b/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
@@ -32,6 +32,9 @@
 | file://:0:0:0:0 | _Complex float | 8 |
 | file://:0:0:0:0 | _Complex long double | 32 |
 | file://:0:0:0:0 | _Complex std::float16_t | 4 |
+| file://:0:0:0:0 | _Decimal32 | 4 |
+| file://:0:0:0:0 | _Decimal64 | 8 |
+| file://:0:0:0:0 | _Decimal128 | 16 |
 | file://:0:0:0:0 | _Float16 | 2 |
 | file://:0:0:0:0 | _Float32 | 4 |
 | file://:0:0:0:0 | _Float32x | 8 |
--- a/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
+++ b/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
@@ -14,6 +14,9 @@
 | file://:0:0:0:0 | _Complex float | _Complex float |
 | file://:0:0:0:0 | _Complex long double | _Complex long double |
 | file://:0:0:0:0 | _Complex std::float16_t | _Complex std::float16_t |
+| file://:0:0:0:0 | _Decimal32 | _Decimal32 |
+| file://:0:0:0:0 | _Decimal64 | _Decimal64 |
+| file://:0:0:0:0 | _Decimal128 | _Decimal128 |
 | file://:0:0:0:0 | _Float16 | _Float16 |
 | file://:0:0:0:0 | _Float32 | _Float32 |
 | file://:0:0:0:0 | _Float32x | _Float32x |
--- a/cpp/ql/test/library-tests/variables/variables/types.expected
+++ b/cpp/ql/test/library-tests/variables/variables/types.expected
@@ -13,6 +13,9 @@
 | _Complex float | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
 | _Complex long double | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
 | _Complex std::float16_t | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
+| _Decimal32 | Decimal32Type, GuardConditionImpl |  |  |  |  |
+| _Decimal64 | Decimal64Type, GuardConditionImpl |  |  |  |  |
+| _Decimal128 | Decimal128Type, GuardConditionImpl |  |  |  |  |
 | _Float16 | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
 | _Float32 | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
 | _Float32x | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.57
-
-No user-facing changes.
-
 ## 1.7.56

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.57.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.57.md
@@ -1,3 +0,0 @@
-## 1.7.57
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.57
+lastReleaseVersion: 1.7.56
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.58-dev
+version: 1.7.57-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.57
-
-No user-facing changes.
-
 ## 1.7.56

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.57.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.57.md
@@ -1,3 +0,0 @@
-## 1.7.57
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.57
+lastReleaseVersion: 1.7.56
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.58-dev
+version: 1.7.57-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,22 +1,3 @@
-## 5.4.5
-
-### Minor Analysis Improvements
-
-* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
-* Updated the generated .NET “models as data” runtime models to cover .NET 10.
-* C# 14: Support for *implicit* span conversions in the QL library.
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
-* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
-* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
-
-### Bug Fixes
-
-* Fixed two issues affecting build mode `none`:
-  * Corrected version sorting logic when detecting the newest .NET framework to use.
-  * Improved stability for .NET 10 compatibility.
-* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
-
 ## 5.4.4

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md
+++ b/csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
--- a/csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md
+++ b/csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
--- a/csharp/ql/lib/change-notes/2025-12-04-bmn-dotnet-fixes.md
+++ b/csharp/ql/lib/change-notes/2025-12-04-bmn-dotnet-fixes.md
@@ -0,0 +1,6 @@
+---
+category: fix
+---
+* Fixed two issues affecting build mode `none`:
+  * Corrected version sorting logic when detecting the newest .NET framework to use.
+  * Improved stability for .NET 10 compatibility.
--- a/csharp/ql/lib/change-notes/2025-12-09-bmn-default-dotnet.md
+++ b/csharp/ql/lib/change-notes/2025-12-09-bmn-default-dotnet.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
--- a/csharp/ql/lib/change-notes/2025-12-11-net10-basic-support.md
+++ b/csharp/ql/lib/change-notes/2025-12-11-net10-basic-support.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
--- a/csharp/ql/lib/change-notes/2025-12-11-slnx-support.md
+++ b/csharp/ql/lib/change-notes/2025-12-11-slnx-support.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
--- a/csharp/ql/lib/change-notes/2025-12-18-implicit-span-conversions.md
+++ b/csharp/ql/lib/change-notes/2025-12-18-implicit-span-conversions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Support for *implicit* span conversions in the QL library.
--- a/csharp/ql/lib/change-notes/2026-01-05-net-runtime-models.md
+++ b/csharp/ql/lib/change-notes/2026-01-05-net-runtime-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Updated the generated .NET “models as data” runtime models to cover .NET 10.
--- a/Show More
+++ b/Show More