v1.12.3

Show test results for tests with warnings

.github/dependabot.yml

@@ -8,8 +8,11 @@ updates:
     labels:
       - "Update dependencies"
     ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+      # @types/node is related to the version of VS Code we're supporting and should
+      # not be updated to a newer version of Node automatically. However, patch versions
+      # are unrelated to the Node version, so we allow those.
+      - dependency-name: "@types/node"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -17,6 +20,3 @@ updates:
       day: "thursday" # Thursday is arbitrary
     labels:
       - "Update dependencies"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

.github/workflows/cli-test.yml

@@ -11,6 +11,7 @@ on:
       - extensions/ql-vscode/src/language-support/**
       - extensions/ql-vscode/src/query-server/**
       - extensions/ql-vscode/supported_cli_versions.json
+      - extensions/ql-vscode/src/variant-analysis/run-remote-query.ts
 
 jobs:
   find-nightly:
@@ -109,3 +110,43 @@ jobs:
         if: matrix.os == 'windows-latest'
         run: |
           npm run test:cli-integration
+
+  report-failure:
+    name: Report failure on the default branch
+    runs-on: ubuntu-latest
+    needs: [cli-test]
+    if: failure() && github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
+      issues: write
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Create GitHub issue
+        run: |
+          # Set -eu so that we fail if the gh command fails.
+          set -eu
+
+          # Try to find an existing open issue if there is one
+          ISSUE="$(gh issue list --repo "$GITHUB_REPOSITORY" --label "cli-test-failure" --state "open" --limit 1 --json number -q '.[0].number')"
+
+          if [[ -n "$ISSUE" ]]; then
+            echo "Found open issue number $ISSUE ($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/issues/$ISSUE)"
+          else
+            echo "Did not find an open tracking issue. Creating one."
+
+            ISSUE_BODY="issue-body.md"
+            printf "CLI tests have failed on the default branch.\n\n@github/code-scanning-secexp-reviewers" > "$ISSUE_BODY"
+
+            ISSUE="$(gh issue create --repo "$GITHUB_REPOSITORY" --label "cli-test-failure" --title "CLI test failure" --body-file "$ISSUE_BODY")"
+            # `gh issue create` returns the full issue URL, not just the number.
+            echo "Created issue with URL $ISSUE"
+          fi
+
+          COMMENT_FILE="comment.md"
+          RUN_URL=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
+          printf 'CLI test [%s](%s) failed on ref `%s`' "$GITHUB_RUN_ID" "$RUN_URL" "$GITHUB_REF" > "$COMMENT_FILE"
+
+          # `gh issue create` returns an issue URL, and `gh issue list | cut -f 1` returns an issue number.
+          # Both are accepted here.
+          gh issue comment "$ISSUE" --repo "$GITHUB_REPOSITORY" --body-file "$COMMENT_FILE"

.github/workflows/dependency-review.yml

@@ -13,4 +13,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@v4

.github/workflows/e2e-tests.yml

@@ -0,0 +1,46 @@
+name: Run E2E Playwright tests
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  e2e-test:
+    name: E2E Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: extensions/ql-vscode/.nvmrc
+          cache: 'npm'
+          cache-dependency-path: extensions/ql-vscode/package-lock.json
+
+      - name: Install dependencies
+        working-directory: extensions/ql-vscode
+        run: npm ci
+
+      - name: Start containers
+        working-directory: extensions/ql-vscode/test/e2e
+        run: docker-compose -f "docker-compose.yml" up -d --build
+
+      - name: Install Playwright Browsers
+        working-directory: extensions/ql-vscode
+        run: npx playwright install --with-deps
+      - name: Run Playwright tests
+        working-directory: extensions/ql-vscode/test/e2e
+        run: npx playwright test
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: playwright-report
+          path: extensions/ql-vscode/playwright-report/
+          retention-days: 30
+      - name: Stop containers
+        working-directory: extensions/ql-vscode/test/e2e
+        if: always()
+        run: docker-compose -f "docker-compose.yml" down -v

.github/workflows/main.yml

@@ -47,7 +47,7 @@ jobs:
           cp dist/*.vsix artifacts
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         if: matrix.os == 'ubuntu-latest'
         with:
           name: vscode-codeql-extension

.github/workflows/release.yml

@@ -54,13 +54,13 @@ jobs:
           echo "ref_name=$REF_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: vscode-codeql-extension
           path: artifacts
 
       - name: Upload source maps
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: vscode-codeql-sourcemaps
           path: dist/vscode-codeql/out/*.map
@@ -128,7 +128,7 @@ jobs:
       VSCE_TOKEN: ${{ secrets.VSCE_TOKEN }}
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: vscode-codeql-extension
 
@@ -145,7 +145,7 @@ jobs:
       OPEN_VSX_TOKEN: ${{ secrets.OPEN_VSX_TOKEN }}
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: vscode-codeql-extension
 

.github/workflows/update-node-version.yml

@@ -0,0 +1,58 @@
+name: Update Node version
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '15 12 * * *' # At 12:15 PM UTC every day
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  create-pr:
+    name: Create PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: extensions/ql-vscode/.nvmrc
+          cache: 'npm'
+          cache-dependency-path: extensions/ql-vscode/package-lock.json
+      - name: Install dependencies
+        working-directory: extensions/ql-vscode
+        run: |
+          npm ci
+        shell: bash
+      - name: Get current Node version
+        working-directory: extensions/ql-vscode
+        id: get-current-node-version
+        run: |
+          echo "version=$(cat .nvmrc)" >> $GITHUB_OUTPUT
+        shell: bash
+      - name: Update Node version
+        working-directory: extensions/ql-vscode
+        run: |
+          npx ts-node scripts/update-node-version.ts
+        shell: bash
+      - name: Get current Node version
+        working-directory: extensions/ql-vscode
+        id: get-new-node-version
+        run: |
+          echo "version=$(cat .nvmrc)" >> $GITHUB_OUTPUT
+        shell: bash
+      - name: Commit, Push and Open a PR
+        uses: ./.github/actions/create-pr
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          base-branch: main
+          head-branch: github-action/bump-node-version
+          commit-message: Bump Node version to ${{ steps.get-new-node-version.outputs.version }}
+          title: Bump Node version to ${{ steps.get-new-node-version.outputs.version }}
+          body: >
+            The Node version used in the latest version of VS Code has been updated. This PR updates the Node version
+            used for integration tests to match.
+
+            The previous Node version was ${{ steps.get-current-node-version.outputs.version }}. This PR updates the
+            Node version to ${{ steps.get-new-node-version.outputs.version }}.

.gitignore

@@ -19,3 +19,7 @@ artifacts/
 # CodeQL metadata
 .cache/
 .codeql/
+
+# E2E Reports
+**/playwright-report/**
+**/test-results/**

.markdownlint.json

@@ -1,4 +1,7 @@
 {
+  "ul-style": {
+    "style": "dash"
+  },
   "MD013": false,
   "MD041": false
 }

CODE_OF_CONDUCT.md

@@ -14,21 +14,21 @@ appearance, race, religion, or sexual identity and orientation.
 Examples of behavior that contributes to creating a positive environment
 include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
+- The use of sexualized language or imagery and unwelcome sexual attention or
   advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
   address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
+- Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
 ## Our Responsibilities
@@ -55,7 +55,7 @@ a project may be further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at opensource@github.com. All
+reported by contacting the project team at <opensource@github.com>. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -22,12 +22,12 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 Here are a few things you can do that will increase the likelihood of your pull request being accepted:
 
-* Follow the [style guide][style].
-* Write tests:
-  * [Tests that don't require the VS Code API are located here](extensions/ql-vscode/test).
-  * [Integration tests that do require the VS Code API are located here](extensions/ql-vscode/src/vscode-tests).
-* Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
-* Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
+- Follow the [style guide][style].
+- Write tests:
+  - [Tests that don't require the VS Code API are located here](extensions/ql-vscode/test).
+  - [Integration tests that do require the VS Code API are located here](extensions/ql-vscode/src/vscode-tests).
+- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
+- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
 
 ## Setting up a local build
 
@@ -99,6 +99,6 @@ More information about Storybook can be found inside the **Overview** page once
 
 ## Resources
 
-* [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
-* [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
-* [GitHub Help](https://help.github.com)
+- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
+- [GitHub Help](https://help.github.com)

README.md

@@ -6,28 +6,21 @@ The extension is released. You can download it from the [Visual Studio Marketpla
 
 To see what has changed in the last few versions of the extension, see the [Changelog](https://github.com/github/vscode-codeql/blob/main/extensions/ql-vscode/CHANGELOG.md).
 
-[![CI status badge](https://github.com/github/vscode-codeql/workflows/Build%20Extension/badge.svg)](https://github.com/github/vscode-codeql/actions?query=workflow%3A%22Build+Extension%22+branch%3Amaster)
+[![CI status badge](https://github.com/github/vscode-codeql/workflows/Build%20Extension/badge.svg)](https://github.com/github/vscode-codeql/actions?query=workflow%3A%22Build+Extension%22+branch%3Amain)
 [![VS Marketplace badge](https://vsmarketplacebadges.dev/version/github.vscode-codeql.svg)](https://marketplace.visualstudio.com/items?itemName=github.vscode-codeql)
 
 ## Features
 
-* Enables you to use CodeQL to query databases and discover problems in codebases.
-* Shows the flow of data through the results of path queries, which is essential for triaging security results.
-* Provides an easy way to run queries from the large, open source repository of [CodeQL security queries](https://github.com/github/codeql).
-* Adds IntelliSense to support you writing and editing your own CodeQL query and library files.
-* Supports you running CodeQL queries against thousands of repositories on GitHub using multi-repository variant analysis.
+- Enables you to use CodeQL to query databases and discover problems in codebases.
+- Shows the flow of data through the results of path queries, which is essential for triaging security results.
+- Provides an easy way to run queries from the large, open source repository of [CodeQL security queries](https://github.com/github/codeql).
+- Adds IntelliSense to support you writing and editing your own CodeQL query and library files.
+- Supports you running CodeQL queries against thousands of repositories on GitHub using multi-repository variant analysis.
 
 ## Project goals and scope
 
 This project will track new feature development in CodeQL and, whenever appropriate, bring that functionality to the Visual Studio Code experience.
 
-## Dependencies
-
-This extension depends on the following two extensions for required functionality. They will be installed automatically when you install VS Code CodeQL.
-
-* [Test Adapter Converter](https://marketplace.visualstudio.com/items?itemName=ms-vscode.test-adapter-converter)
-* [Test Explorer UI](https://marketplace.visualstudio.com/items?itemName=hbenl.vscode-test-explorer)
-
 ## Contributing
 
 This project welcomes contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to build, install, and contribute.

docs/node-version.md

@@ -7,24 +7,20 @@ We should make sure the CodeQL for VS Code extension works with the Node.js vers
 
 ## Checking the version of Node.js supplied by VS Code
 
-You can find this info by seleting "About Visual Studio Code" from the top menu.
+You can find this info by selecting "About Visual Studio Code" from the top menu.
 
 ![about-vscode](images/about-vscode.png)
 
 ## Updating the Node.js version
 
-The following files will need to be updated:
+To update the Node.js version, run:
 
-- `extensions/ql-vscode/.nvmrc` - this will enable nvm to automatically switch to the correct Node
-   version when you're in the project folder. It will also change the Node version the GitHub Actions
-   workflows use.
-- `extensions/ql-vscode/package.json` - the "engines.node: '[VERSION]'" setting
-- `extensions/ql-vscode/package.json` - the "@types/node: '[VERSION]'" dependency
-
-Then run `npm install` to update the `extensions/ql-vscode/package-lock.json` file.
+```bash
+npx ts-node scripts/update-node-version.ts
+```
 
 ## Node.js version used in tests
 
 Unit tests will use whatever version of Node.js is installed locally. In CI this will be the version specified in the workflow.
 
-Integration tests download a copy of VS Code and then will use whatever version of Node.js is provided by VS Code. Our integration tests are currently pinned to an older version of VS Code. See [VS Code version used in tests](./vscode-version.md#vs-code-version-used-in-tests) for more information.
+Integration tests download a copy of VS Code and then will use whatever version of Node.js is provided by VS Code. See [VS Code version used in tests](./vscode-version.md#vs-code-version-used-in-tests) for more information.

docs/releasing.md

@@ -1,33 +1,33 @@
 # Releasing (write access required)
 
 1. Determine the new version number. We default to increasing the patch version number, but make our own judgement about whether a change is big enough to warrant a minor version bump. Common reasons for a minor bump could include:
-    * Making substantial new features available to all users. This can include lifting a feature flag.
-    * Breakage in compatibility with recent versions of the CLI.
-    * Minimum required version of VS Code is increased.
-    * New telemetry events are added.
-    * Deprecation or removal of commands.
-    * Accumulation of many changes, none of which are individually big enough to warrant a minor bump, but which together are. This does not include changes which are purely internal to the extension, such as refactoring, or which are only available behind a feature flag.
+    - Making substantial new features available to all users. This can include lifting a feature flag.
+    - Breakage in compatibility with recent versions of the CLI.
+    - Minimum required version of VS Code is increased.
+    - New telemetry events are added.
+    - Deprecation or removal of commands.
+    - Accumulation of many changes, none of which are individually big enough to warrant a minor bump, but which together are. This does not include changes which are purely internal to the extension, such as refactoring, or which are only available behind a feature flag.
 1. Create a release branch named after the new version (e.g. `v1.3.6`):
-    * For a regular scheduled release this branch will be based on latest `main`.
-        * Make sure your local copy of `main` is up to date so you are including all changes.
-    * To do a minimal bug-fix release, base the release branch on the tag from the most recent release and then add only the changes you want to release.
-        * Choose this option if you want to release a specific set of changes (e.g. a bug fix) and don't want to incur extra risk by including other changes that have been merged to the `main` branch.
+    - For a regular scheduled release this branch will be based on latest `main`.
+        - Make sure your local copy of `main` is up to date so you are including all changes.
+    - To do a minimal bug-fix release, base the release branch on the tag from the most recent release and then add only the changes you want to release.
+        - Choose this option if you want to release a specific set of changes (e.g. a bug fix) and don't want to incur extra risk by including other changes that have been merged to the `main` branch.
 
         ```bash
         git checkout -b <new_release_branch> <previous_release_tag>
         ```
 
 1. Run the ["Run CLI tests" workflow](https://github.com/github/vscode-codeql/actions/workflows/cli-test.yml) and make sure the tests are green.
-    * You can skip this step if you are releasing from `main` and there were no merges since the most recent daily scheduled run of this workflow.
+    - You can skip this step if you are releasing from `main` and there were no merges since the most recent daily scheduled run of this workflow.
 1. Double-check the `CHANGELOG.md` contains all desired change comments and has the version to be released with date at the top.
-    * Go through PRs that have been merged since the previous release and make sure they are properly accounted for.
-    * Make sure all changelog entries have links back to their PR(s) if appropriate.
+    - Go through PRs that have been merged since the previous release and make sure they are properly accounted for.
+    - Make sure all changelog entries have links back to their PR(s) if appropriate.
 1. Double-check that the extension `package.json` and `package-lock.json` have the version you intend to release. If you are doing a patch release (as opposed to minor or major version) this should already be correct.
 1. Commit any changes made during steps 4 and 5 with a commit message the same as the branch name (e.g. `v1.3.6`).
 1. Open a PR for this release.
-    * The PR diff should contain:
-        * Any missing bits from steps 4 and 5. Most of the time, this will just be updating `CHANGELOG.md` with today's date.
-        * If releasing from a branch other than `main`, this PR will also contain the extension changes being released.
+    - The PR diff should contain:
+        - Any missing bits from steps 4 and 5. Most of the time, this will just be updating `CHANGELOG.md` with today's date.
+        - If releasing from a branch other than `main`, this PR will also contain the extension changes being released.
 1. Build the extension using `npm run build` and install it on your VS Code using "Install from VSIX".
 1. Go through [our test plan](./test-plan.md) to ensure that the extension is working as expected.
 1. Create a new tag on the release branch with your new version (named after the release), e.g.
@@ -37,8 +37,8 @@
     ```
 
 1. Merge the release PR into `main`.
-    * If there are conflicts in the changelog, make sure to place any new changelog entries at the top, above the section for the current release, as these new entries are not part of the current release and should be placed in the "unreleased" section.
-    * The release PR must be merged before pushing the tag to ensure that we always release a commit that is present on the `main` branch. It's not required that the commit is the head of the `main` branch, but there should be no chance of a future release accidentally not including changes from this release.
+    - If there are conflicts in the changelog, make sure to place any new changelog entries at the top, above the section for the current release, as these new entries are not part of the current release and should be placed in the "unreleased" section.
+    - The release PR must be merged before pushing the tag to ensure that we always release a commit that is present on the `main` branch. It's not required that the commit is the head of the `main` branch, but there should be no chance of a future release accidentally not including changes from this release.
 1. Push the new tag up:
 
     ```bash
@@ -46,13 +46,13 @@
     ```
 
 1. Find the [Release](https://github.com/github/vscode-codeql/actions?query=workflow%3ARelease) workflow run that was just triggered by pushing the tag, and monitor the status of the release build.
-    * DO NOT approve the "publish" stages of the workflow yet.
+    - DO NOT approve the "publish" stages of the workflow yet.
 1. Download the VSIX from the draft GitHub release at the top of [the releases page](https://github.com/github/vscode-codeql/releases) that is created when the release build finishes.
 1. Unzip the `.vsix` and inspect its `package.json` to make sure the version is what you expect,
    or look at the source if there's any doubt the right code is being shipped.
 1. Install the `.vsix` file into your vscode IDE and ensure the extension can load properly. Run a single command (like run query, or add database).
 1. Approve the deployments of the [Release](https://github.com/github/vscode-codeql/actions?query=workflow%3ARelease) workflow run. This will automatically publish to Open VSX and VS Code Marketplace.
-    * If there is an authentication failure when publishing, be sure to check that the authentication keys haven't expired. See below.
+    - If there is an authentication failure when publishing, be sure to check that the authentication keys haven't expired. See below.
 1. Go to the draft GitHub release in [the releases page](https://github.com/github/vscode-codeql/releases), click 'Edit', add some summary description, and publish it.
 1. Confirm the new release is marked as the latest release.
 1. If documentation changes need to be published, notify documentation team that release has been made.

docs/test-plan.md

@@ -57,14 +57,16 @@ choose to go through some of the Optional Test Cases.
 2. Select the `google/brotli` database (or download it if you don't have one already)
 3. Run a local query.
 4. Once the query completes:
+   - Chose the `#select` result set from the drop-down
    - Check that the results table is rendered
    - Check that result locations can be clicked on
 
 #### Test case 4: Can use AST viewer
 
 1. Click on any code location from a previous query to open a source file from a database
-2. Open the AST viewing panel and click "View AST"
-3. Once the AST is computed:
+2. Select the highlighted code in the source file
+3. Open the AST viewing panel and click "View AST"
+4. Once the AST is computed:
    - Check that it can be navigated
 
 ### MRVA
@@ -143,6 +145,48 @@ Run one of the above MRVAs, but cancel it from within VS Code:
 - Check that the workflow run is also canceled.
 - Check that any available results are visible in VS Code.
 
+#### Test Case 6: Using model packs in MRVA
+
+1. Create a model pack with mock data
+   1. Create a new directory `test-model-pack`
+   2. Create a `qlpack.yml` file in that directory with the following contents:
+
+      ```yaml
+      name: github/test-model-pack
+      version: 0.0.0
+      library: true
+      extensionTargets:
+        codeql/python-all: '*'
+      dataExtensions:
+        - extension.yml
+      ```
+
+   3. Create an `extension.yml` in the same directory with the following contents:
+
+      ```yaml
+      extensions:
+      - addsTo:
+          pack: codeql/python-all
+          extensible: sinkModel
+        data:
+         - ["vscode-codeql","Member[initialize].Argument[0]","code-injection"]
+      ```
+
+2. In a Python query pack, create the following query (e.g. `sinks.ql`):
+
+   ```ql
+   import python
+   import semmle.python.frameworks.data.internal.ApiGraphModelsExtensions
+
+   from string path, string kind
+   where sinkModel("vscode-codeql", path, kind)
+   select path, kind
+   ```
+
+3. Run a MRVA against a Python repository (e.g. `psf/requests`) with this query.
+4. Check that the results view contains 1 result with the values corresponding to the `extension.yml` file:
+   ![Model packs results table for `psf/requests`](images/model-pack-results-table.png)
+
 ### CodeQL Model Editor
 
 #### Test Case 1: Opening the model editor
@@ -151,7 +195,7 @@ Run one of the above MRVAs, but cancel it from within VS Code:
 2. Open the Model Editor with the "CodeQL: Open CodeQL Model Editor" command from the command palette.
    - Check that the editor loads and shows methods to model.
    - Check that methods are grouped per library (e.g. `rocksdbjni@7.7.3` or `asm@6.0`)
-   - Check that the "Open source" link works.
+   - Check that the "Open source" link works (if you have the database source).
    - Check that the 'View' button works and the Method Usage panel highlight the correct method and usage
    - Check that the Method Modeling panel shows the correct method and modeling state
 
@@ -170,6 +214,8 @@ Run one of the above MRVAs, but cancel it from within VS Code:
 
 Note that this test requires the feature flag: `codeQL.model.llmGeneration`
 
+A package that the AI normally gives models for is `javax.servlet-api` from the `jhy/jsoup` repository.
+
 1. Click "Model with AI".
    - Check that rows change to "Thinking".
    - Check that results come back and rows get filled out.
@@ -183,6 +229,24 @@ Note that this test requires the feature flag: `codeQL.model.flowGeneration`
 2. Click "Generate".
    - Check that rows are filled out.
 
+### GitHub database download
+
+#### Test case 1: Download a database
+
+Open a clone of the [`github/codeql`](https://github.com/github/codeql) repository as a folder.
+
+1. Wait a few seconds until the CodeQL extension is fully initialized.
+   - Check that the following prompt appears:
+
+     ![database-download-prompt](images/github-database-download-prompt.png)
+
+   - If the prompt does not appear, ensure that the `codeQL.githubDatabase.download` setting is not set in workspace or user settings.
+
+2. Click "Download".
+3. Select the "C#" and "JavaScript" databases.
+   - Check that there are separate notifications for both downloads.
+   - Check that both databases are added when the downloads are complete.
+
 ### General
 
 #### Test case 1: Change to a different colour theme

docs/testing.md

@@ -2,14 +2,14 @@
 
 We have several types of tests:
 
-* Unit tests: these live in the `tests/unit-tests/` directory
-* View tests: these live in `src/view/variant-analysis/__tests__/`
-* VSCode integration tests:
-  * `test/vscode-tests/activated-extension` tests: These are intended to cover functionality that require the full extension to be activated but don't require the CLI. This suite is not run against multiple versions of the CLI in CI.
-  * `test/vscode-tests/no-workspace` tests: These are intended to cover functionality around not having a workspace. The extension is not activated in these tests.
-  * `test/vscode-tests/minimal-workspace` tests: These are intended to cover functionality that need a workspace but don't require the full extension to be activated.
-* CLI integration tests: these live in `test/vscode-tests/cli-integration`
-  * These tests are intended to cover functionality that is related to the integration between the CodeQL CLI and the extension. These tests are run against each supported versions of the CLI in CI.
+- Unit tests: these live in the `tests/unit-tests/` directory
+- View tests: these live in `src/view/variant-analysis/__tests__/`
+- VSCode integration tests:
+  - `test/vscode-tests/activated-extension` tests: These are intended to cover functionality that require the full extension to be activated but don't require the CLI. This suite is not run against multiple versions of the CLI in CI.
+  - `test/vscode-tests/no-workspace` tests: These are intended to cover functionality around not having a workspace. The extension is not activated in these tests.
+  - `test/vscode-tests/minimal-workspace` tests: These are intended to cover functionality that need a workspace but don't require the full extension to be activated.
+- CLI integration tests: these live in `test/vscode-tests/cli-integration`
+  - These tests are intended to cover functionality that is related to the integration between the CodeQL CLI and the extension. These tests are run against each supported versions of the CLI in CI.
 
 The CLI integration tests require an instance of the CodeQL CLI to run so they will require some extra setup steps. When adding new tests to our test suite, please be mindful of whether they need to be in the cli-integration folder. If the tests don't depend on the CLI, they are better suited to being a VSCode integration test.
 
@@ -26,9 +26,9 @@ Pre-requisites:
 
 Then, from the `extensions/ql-vscode` directory, use the appropriate command to run the tests:
 
-* Unit tests: `npm run test:unit`
-* View Tests: `npm run test:view`
-* VSCode integration tests: `npm run test:vscode-integration`
+- Unit tests: `npm run test:unit`
+- View Tests: `npm run test:view`
+- VSCode integration tests: `npm run test:vscode-integration`
 
 #### Running CLI integration tests from the terminal
 
@@ -48,9 +48,9 @@ Alternatively, you can run the tests inside of VSCode. There are several VSCode
 
 You will need to run tests using a task from inside of VS Code, under the "Run and Debug" view:
 
-* Unit tests: run the _Launch Unit Tests_ task
-* View Tests: run the _Launch Unit Tests - React_ task
-* VSCode integration tests: run the _Launch Unit Tests - No Workspace_ and _Launch Unit Tests - Minimal Workspace_ tasks
+- Unit tests: run the _Launch Unit Tests_ task
+- View Tests: run the _Launch Unit Tests - React_ task
+- VSCode integration tests: run the _Launch Unit Tests - No Workspace_ and _Launch Unit Tests - Minimal Workspace_ tasks
 
 #### Running CLI integration tests from VSCode
 

docs/vscode-version.md

@@ -24,10 +24,18 @@ Also consider what percentage of our users are using each VS Code version. This
 
 ## How to update the VS Code version
 
-To provide a good experience to users, it is recommented to update the `MIN_VERSION` in `extension.ts` first and release, and then update the `vscode` version in `package.json` and release again. By stagging this update across two releases it gives users on older VS Code versions a chance to upgrade before it silently refuses to upgrade them.
+To provide a good experience to users, it is recommented to update the `MIN_VERSION` in `extension.ts` first and release, and then update the `vscode` version in `package.json` and release again.
+By staggering this update across two releases it gives users on older VS Code versions a chance to upgrade before it silently refuses to upgrade them.
+
+After updating the minimum version in `package.json`, make sure to also run the following command to update any generated
+files dependent on this version:
+
+```bash
+npm run generate
+```
 
 ## VS Code version used in tests
 
-Our integration tests are currently pinned to use an older version of VS Code due to <https://github.com/github/vscode-codeql/issues/2402>.
-This version is specified in [`jest-runner-vscode.config.base.js`](https://github.com/github/vscode-codeql/blob/d93f2b67c84e79737b0ce4bb74e31558b5f5166e/extensions/ql-vscode/test/vscode-tests/jest-runner-vscode.config.base.js#L17).
-Until this is resolved this will limit us updating our minimum supported version of VS Code.
+The integration tests use the latest stable version of VS Code. This is specified in
+the [`test/vscode-tests/jest-runner-vscode.config.base.js`](https://github.com/github/vscode-codeql/blob/main/extensions/ql-vscode/test/vscode-tests/jest-runner-vscode.config.base.js#L15)
+file. This shouldn't need to be updated unless there is a breaking change in VS Code that prevents the tests from running.

extensions/ql-vscode/.eslintrc.js

@@ -21,16 +21,17 @@ const baseConfig = {
   },
   extends: [
     "eslint:recommended",
-    "plugin:github/react",
     "plugin:github/recommended",
     "plugin:github/typescript",
     "plugin:jest-dom/recommended",
     "plugin:prettier/recommended",
     "plugin:@typescript-eslint/recommended",
+    "plugin:import/recommended",
+    "plugin:import/typescript",
+    "plugin:deprecation/recommended",
   ],
   rules: {
     "@typescript-eslint/await-thenable": "error",
-    "@typescript-eslint/no-use-before-define": 0,
     "@typescript-eslint/no-unused-vars": [
       "warn",
       {
@@ -39,39 +40,37 @@ const baseConfig = {
         ignoreRestSiblings: false,
       },
     ],
-    "@typescript-eslint/explicit-function-return-type": "off",
-    "@typescript-eslint/explicit-module-boundary-types": "off",
-    "@typescript-eslint/no-non-null-assertion": "off",
-    "@typescript-eslint/no-explicit-any": "off",
+    "@typescript-eslint/no-explicit-any": "error",
     "@typescript-eslint/no-floating-promises": ["error", { ignoreVoid: true }],
     "@typescript-eslint/no-invalid-this": "off",
     "@typescript-eslint/no-shadow": "off",
     "prefer-const": ["warn", { destructuring: "all" }],
     "@typescript-eslint/no-throw-literal": "error",
-    "no-useless-escape": 0,
-    camelcase: "off",
+    "@typescript-eslint/consistent-type-imports": "error",
+    "import/consistent-type-specifier-style": ["error", "prefer-top-level"],
+    curly: ["error", "all"],
     "escompat/no-regexp-lookbehind": "off",
     "etc/no-implicit-any-catch": "error",
     "filenames/match-regex": "off",
-    "filenames/match-regexp": "off",
-    "func-style": "off",
     "i18n-text/no-en": "off",
-    "import/named": "off",
-    "import/no-dynamic-require": "off",
-    "import/no-dynamic-required": "off",
-    "import/no-anonymous-default-export": "off",
-    "import/no-commonjs": "off",
-    "import/no-mutable-exports": "off",
-    "import/no-namespace": "off",
-    "import/no-unresolved": "off",
-    "import/no-webpack-loader-syntax": "off",
     "no-invalid-this": "off",
-    "no-fallthrough": "off",
     "no-console": "off",
     "no-shadow": "off",
     "github/array-foreach": "off",
     "github/no-then": "off",
     "react/jsx-key": ["error", { checkFragmentShorthand: true }],
+    "import/no-cycle": "error",
+    // Never allow extensions in import paths, except for JSON files where they are required.
+    "import/extensions": ["error", "never", { json: "always" }],
+  },
+  settings: {
+    "import/resolver": {
+      typescript: true,
+      node: true,
+    },
+    "import/extensions": [".js", ".jsx", ".ts", ".tsx", ".json"],
+    // vscode and sarif don't exist on-disk, but only provide types.
+    "import/core-modules": ["vscode", "sarif"],
   },
 };
 
@@ -87,8 +86,10 @@ module.exports = {
       extends: [
         ...baseConfig.extends,
         "plugin:react/recommended",
+        "plugin:react/jsx-runtime",
         "plugin:react-hooks/recommended",
         "plugin:storybook/recommended",
+        "plugin:github/react",
       ],
       rules: {
         ...baseConfig.rules,
@@ -107,7 +108,9 @@ module.exports = {
       extends: [
         ...baseConfig.extends,
         "plugin:react/recommended",
+        "plugin:react/jsx-runtime",
         "plugin:react-hooks/recommended",
+        "plugin:github/react",
       ],
       rules: {
         ...baseConfig.rules,
@@ -118,15 +121,6 @@ module.exports = {
         },
       },
     },
-    {
-      files: ["test/**/*"],
-      parserOptions: {
-        project: resolve(__dirname, "test/tsconfig.json"),
-      },
-      env: {
-        jest: true,
-      },
-    },
     {
       files: ["test/vscode-tests/**/*"],
       parserOptions: {
@@ -137,6 +131,8 @@ module.exports = {
       },
       rules: {
         ...baseConfig.rules,
+        // We want to allow mocking of functions in modules, so we need to allow namespace imports.
+        "import/no-namespace": "off",
         "@typescript-eslint/ban-types": [
           "error",
           {
@@ -151,6 +147,18 @@ module.exports = {
         ],
       },
     },
+    {
+      files: ["test/**/*"],
+      parserOptions: {
+        project: resolve(__dirname, "test/tsconfig.json"),
+      },
+      env: {
+        jest: true,
+      },
+      rules: {
+        "@typescript-eslint/no-explicit-any": "off",
+      },
+    },
     {
       files: [
         ".eslintrc.js",
@@ -171,5 +179,17 @@ module.exports = {
         "@typescript-eslint/no-var-requires": "off",
       },
     },
+    {
+      files: [".storybook/**/*.tsx"],
+      parserOptions: {
+        project: resolve(__dirname, ".storybook/tsconfig.json"),
+      },
+      rules: {
+        ...baseConfig.rules,
+        // Storybook doesn't use the automatic JSX runtime in the addon yet, so we need to allow
+        // `React` to be imported.
+        "import/no-namespace": ["error", { ignore: ["react"] }],
+      },
+    },
   ],
 };

extensions/ql-vscode/.nvmrc

@@ -1 +1 @@
-v18.15.0
+v18.17.1

extensions/ql-vscode/.storybook/preview.ts

@@ -1,4 +1,4 @@
-import { Preview } from "@storybook/react";
+import type { Preview } from "@storybook/react";
 import { themes } from "@storybook/theming";
 import { action } from "@storybook/addon-actions";
 

extensions/ql-vscode/.storybook/vscode-theme-addon/ThemeSelector.tsx

@@ -1,5 +1,6 @@
 import * as React from "react";
-import { FunctionComponent, useCallback } from "react";
+import type { FunctionComponent } from "react";
+import { useCallback } from "react";
 
 import { useGlobals } from "@storybook/manager-api";
 import {

extensions/ql-vscode/.storybook/vscode-theme-addon/manager.tsx

@@ -1,5 +1,6 @@
 import * as React from "react";
-import { addons, types } from "@storybook/manager-api";
+import { addons } from "@storybook/manager-api";
+import { Addon_TypesEnum } from "@storybook/types";
 import { ThemeSelector } from "./ThemeSelector";
 
 const ADDON_ID = "vscode-theme-addon";
@@ -7,7 +8,7 @@ const ADDON_ID = "vscode-theme-addon";
 addons.register(ADDON_ID, () => {
   addons.add(ADDON_ID, {
     title: "VSCode Themes",
-    type: types.TOOL,
+    type: Addon_TypesEnum.TOOL,
     match: ({ viewMode }) => !!(viewMode && viewMode.match(/^(story|docs)$/)),
     render: () => <ThemeSelector />,
   });

extensions/ql-vscode/.storybook/vscode-theme-addon/withTheme.ts

@@ -8,27 +8,27 @@ import { VSCodeTheme } from "./theme";
 
 const themeFiles: { [key in VSCodeTheme]: string } = {
   [VSCodeTheme.Dark]:
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    // eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs,import/no-webpack-loader-syntax
     require("!file-loader?modules!../../src/stories/vscode-theme-dark.css")
       .default,
   [VSCodeTheme.Light]:
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    // eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs,import/no-webpack-loader-syntax
     require("!file-loader?modules!../../src/stories/vscode-theme-light.css")
       .default,
   [VSCodeTheme.LightHighContrast]:
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    // eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs,import/no-webpack-loader-syntax
     require("!file-loader?modules!../../src/stories/vscode-theme-light-high-contrast.css")
       .default,
   [VSCodeTheme.DarkHighContrast]:
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    // eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs,import/no-webpack-loader-syntax
     require("!file-loader?modules!../../src/stories/vscode-theme-dark-high-contrast.css")
       .default,
   [VSCodeTheme.GitHubLightDefault]:
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    // eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs,import/no-webpack-loader-syntax
     require("!file-loader?modules!../../src/stories/vscode-theme-github-light-default.css")
       .default,
   [VSCodeTheme.GitHubDarkDefault]:
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    // eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs,import/no-webpack-loader-syntax
     require("!file-loader?modules!../../src/stories/vscode-theme-github-dark-default.css")
       .default,
 };

extensions/ql-vscode/CHANGELOG.md

@@ -1,11 +1,52 @@
 # CodeQL for Visual Studio Code: Changelog
 
+## 1.12.3 - 29 February 2024
+
+- Update variant analysis view to show when cancelation is in progress. [#3405](https://github.com/github/vscode-codeql/pull/3405)
+- Remove support for CodeQL CLI versions older than 2.13.5. [#3371](https://github.com/github/vscode-codeql/pull/3371)
+- Add a timeout to downloading databases and the CodeQL CLI. These can be changed using the `codeQL.addingDatabases.downloadTimeout` and `codeQL.cli.downloadTimeout` settings respectively. [#3373](https://github.com/github/vscode-codeql/pull/3373)
+
+## 1.12.2 - 14 February 2024
+
+- Stop allowing running variant analyses with a query outside of the workspace. [#3302](https://github.com/github/vscode-codeql/pull/3302)
+
+## 1.12.1 - 31 January 2024
+
+- Enable collection of telemetry for the `codeQL.addingDatabases.addDatabaseSourceToWorkspace` setting. [#3238](https://github.com/github/vscode-codeql/pull/3238)
+- In the CodeQL model editor, you can now select individual method rows and save changes to only the selected rows, instead of having to save the entire library model. [#3156](https://github.com/github/vscode-codeql/pull/3156)
+- If you run a query without having selected a database, we show a more intuitive prompt to help you select a database. [#3214](https://github.com/github/vscode-codeql/pull/3214)
+- Error messages returned from the CodeQL CLI are now less verbose and more user-friendly. [#3259](https://github.com/github/vscode-codeql/pull/3259)
+- The UI for browsing and running CodeQL tests has moved to use VS Code's built-in test UI. This makes the CodeQL test UI more consistent with the test UIs for other languages.
+  This change means that this extension no longer depends on the "Test Explorer UI" and "Test Adapter Converter" extensions. You can uninstall those two extensions if they are
+  not being used by any other extensions you may have installed. [#3232](https://github.com/github/vscode-codeql/pull/3232)
+
+## 1.12.0 - 11 January 2024
+
+- Add a prompt for downloading a GitHub database when opening a GitHub repository. [#3138](https://github.com/github/vscode-codeql/pull/3138)
+- Avoid showing a popup when hovering over source elements in database source files. [#3125](https://github.com/github/vscode-codeql/pull/3125)
+- Add comparison of alerts when comparing query results. This allows viewing path explanations for differences in alerts. [#3113](https://github.com/github/vscode-codeql/pull/3113)
+- Fix a bug where the CodeQL CLI and variant analysis results were corrupted after extraction in VS Code Insiders. [#3151](https://github.com/github/vscode-codeql/pull/3151) & [#3152](https://github.com/github/vscode-codeql/pull/3152)
+- Show progress when extracting the CodeQL CLI distribution during installation. [#3157](https://github.com/github/vscode-codeql/pull/3157)
+- Add option to cancel opening the model editor. [#3189](https://github.com/github/vscode-codeql/pull/3189)
+
+## 1.11.0 - 13 December 2023
+
+- Add a new method modeling panel to classify methods as sources/sinks/summaries while in the context of the source code. [#3128](https://github.com/github/vscode-codeql/pull/3128)
+- Adds the ability to add multiple classifications per method in the CodeQL Model Editor. [#3128](https://github.com/github/vscode-codeql/pull/3128)
+- Switch add and delete button positions in the CodeQL Model Editor. [#3123](https://github.com/github/vscode-codeql/pull/3123)
+- Add a prompt to the "Quick query" command to encourage users in single-folder workspaces to use "Create query" instead. [#3082](https://github.com/github/vscode-codeql/pull/3082)
+- Remove support for CodeQL CLI versions older than 2.11.6. [#3087](https://github.com/github/vscode-codeql/pull/3087)
+- Preserve focus on results viewer when showing a location in a file. [#3088](https://github.com/github/vscode-codeql/pull/3088)
+- The `dataflowtracking` and `tainttracking` snippets expand to the new module-based interface. [#3091](https://github.com/github/vscode-codeql/pull/3091)
+- The compare view will now show a loading message while the results are loading. [#3107](https://github.com/github/vscode-codeql/pull/3107)
+- Make top-banner of the model editor sticky [#3120](https://github.com/github/vscode-codeql/pull/3120)
+
 ## 1.10.0 - 16 November 2023
 
 - Add new CodeQL views for managing databases and queries:
   1. A queries panel that shows all queries in your workspace. It allows you to view, create, and run queries in one place.
   2. A language selector, which allows you to quickly filter databases and queries by language.
-  
+
   For more information, see the [documentation](https://codeql.github.com/docs/codeql-for-visual-studio-code/analyzing-your-projects/#filtering-databases-and-queries-by-language).
 - When adding a CodeQL database, we no longer add the database source folder to the workspace by default (since this caused bugs in single-folder workspaces). [#3047](https://github.com/github/vscode-codeql/pull/3047)
   - You can manually add individual database source folders to the workspace with the "Add Database Source to Workspace" right-click command in the databases view.
@@ -47,7 +88,7 @@ No user facing changes.
 
 ## 1.9.0 - 19 September 2023
 
-- Release the [CodeQL model editor](https://codeql.github.com/docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor) to create CodeQL model packs for Java frameworks. Open the editor using the "CodeQL: Open CodeQL Model Editor (Beta)" command. [#2823](https://github.com/github/vscode-codeql/pull/2823)
+- Release the [CodeQL model editor](https://codeql.github.com/docs/codeql-for-visual-studio-code/using-the-codeql-model-editor/) to create CodeQL model packs for Java frameworks. Open the editor using the "CodeQL: Open CodeQL Model Editor (Beta)" command. [#2823](https://github.com/github/vscode-codeql/pull/2823)
 
 ## 1.8.12 - 11 September 2023
 

extensions/ql-vscode/README.md

@@ -17,8 +17,6 @@ For information about other configurations, see the separate [CodeQL help](https
 ### Quick start: Installing and configuring the extension
 
 1. [Install the extension](#installing-the-extension).  
-   *Note: vscode-codeql installs the following dependencies for required functionality: [Test Adapter Converter](https://marketplace.visualstudio.com/items?itemName=ms-vscode.test-adapter-converter), [Test Explorer UI](https://marketplace.visualstudio.com/items?itemName=hbenl.vscode-test-explorer).*
-
 1. [Check access to the CodeQL CLI](#checking-access-to-the-codeql-cli).
 1. [Clone the CodeQL starter workspace](#cloning-the-codeql-starter-workspace).
 

extensions/ql-vscode/gulpfile.ts/appInsights.ts

@@ -1,5 +1,5 @@
 import { src, dest } from "gulp";
-// eslint-disable-next-line @typescript-eslint/no-var-requires
+// eslint-disable-next-line @typescript-eslint/no-var-requires,import/no-commonjs
 const replace = require("gulp-replace");
 
 /** Inject the application insights key into the telemetry file */

extensions/ql-vscode/gulpfile.ts/chromium-version.json

@@ -0,0 +1,4 @@
+{
+  "chromiumVersion": "114",
+  "electronVersion": "25.8.0"
+}

extensions/ql-vscode/gulpfile.ts/deploy.ts

@@ -9,7 +9,7 @@ import {
 } from "fs-extra";
 import { resolve, join } from "path";
 import { isDevBuild } from "./dev";
-import type * as packageJsonType from "../package.json";
+import type packageJsonType from "../package.json";
 
 export interface DeployedPackage {
   distPath: string;

extensions/ql-vscode/gulpfile.ts/index.ts

@@ -8,9 +8,14 @@ import {
   copyWasmFiles,
 } from "./typescript";
 import { compileTextMateGrammar } from "./textmate";
-import { compileView, watchView } from "./webpack";
 import { packageExtension } from "./package";
 import { injectAppInsightsKey } from "./appInsights";
+import {
+  checkViewTypeScript,
+  compileViewEsbuild,
+  watchViewCheckTypeScript,
+  watchViewEsbuild,
+} from "./view";
 
 export const buildWithoutPackage = series(
   cleanOutput,
@@ -19,23 +24,33 @@ export const buildWithoutPackage = series(
     copyWasmFiles,
     checkTypeScript,
     compileTextMateGrammar,
-    compileView,
+    compileViewEsbuild,
+    checkViewTypeScript,
   ),
 );
 
-export const watch = parallel(watchEsbuild, watchCheckTypeScript, watchView);
+export const watch = parallel(
+  // Always build first, so that we don't have to run build manually
+  compileEsbuild,
+  compileViewEsbuild,
+  watchEsbuild,
+  watchCheckTypeScript,
+  watchViewEsbuild,
+  watchViewCheckTypeScript,
+);
 
 export {
   cleanOutput,
   compileTextMateGrammar,
   watchEsbuild,
   watchCheckTypeScript,
-  watchView,
+  watchViewEsbuild,
   compileEsbuild,
   copyWasmFiles,
   checkTypeScript,
   injectAppInsightsKey,
-  compileView,
+  compileViewEsbuild,
+  checkViewTypeScript,
 };
 export default series(
   buildWithoutPackage,

extensions/ql-vscode/gulpfile.ts/textmate-grammar.ts

@@ -0,0 +1,91 @@
+/**
+ * A subset of the standard TextMate grammar that is used by our transformation
+ * step. For a full JSON schema, see:
+ * https://github.com/martinring/tmlanguage/blob/478ad124a21933cd4b0b65f1ee7ee18ee1f87473/tmlanguage.json
+ */
+export interface TextmateGrammar {
+  patterns: Pattern[];
+  repository?: Record<string, Pattern>;
+}
+
+/**
+ * The extended TextMate grammar as used by our transformation step. This is a superset of the
+ * standard TextMate grammar, and includes additional fields that are used by our transformation
+ * step.
+ *
+ * Any comment of the form `(?#ref-id)` in a `match`, `begin`, or `end` property will be replaced
+ * with the match text of the rule named "ref-id". If the rule named "ref-id" consists of just a
+ * `patterns` property with a list of `include` directives, the replacement pattern is the
+ * disjunction of the match patterns of all of the included rules.
+ */
+export interface ExtendedTextmateGrammar<MatchType = string> {
+  /**
+   * This represents the set of regular expression options to apply to all regular
+   * expressions throughout the file.
+   */
+  regexOptions?: string;
+  /**
+   * This element defines a map of macro names to replacement text. When a `match`, `begin`, or
+   * `end` property has a value that is a single-key map, the value is replaced with the value of the
+   * macro named by the key, with any use of `(?#)` in the macro text replaced with the text of the
+   * value of the key, surrounded by a non-capturing group (`(?:)`). For example:
+   *
+   * The `beginPattern` and `endPattern` Properties
+   * A rule can have a `beginPattern` or `endPattern` property whose value is a reference to another
+   * rule (e.g. `#other-rule`). The `beginPattern` property is replaced as follows:
+   *
+   * my-rule:
+   *   beginPattern: '#other-rule'
+   *
+   * would be transformed to
+   *
+   * my-rule:
+   *   begin: '(?#other-rule)'
+   *   beginCaptures:
+   *     '0':
+   *       patterns:
+   *       - include: '#other-rule'
+   *
+   * An `endPattern` property is transformed similary.
+   *
+   * macros:
+   *   repeat: '(?#)*'
+   * repository:
+   *   multi-letter:
+   *     match:
+   *       repeat: '[A-Za-z]'
+   *     name: scope.multi-letter
+   *
+   * would be transformed to
+   *
+   * repository:
+   *   multi-letter:
+   *     match: '(?:[A-Za-z])*'
+   *     name: scope.multi-letter
+   */
+  macros?: Record<string, string>;
+
+  patterns: Array<Pattern<MatchType>>;
+  repository?: Record<string, Pattern<MatchType>>;
+}
+
+export interface Pattern<MatchType = string> {
+  include?: string;
+  match?: MatchType;
+  begin?: MatchType;
+  end?: MatchType;
+  while?: MatchType;
+  captures?: Record<string, PatternCapture>;
+  beginCaptures?: Record<string, PatternCapture>;
+  endCaptures?: Record<string, PatternCapture>;
+  patterns?: Array<Pattern<MatchType>>;
+  beginPattern?: string;
+  endPattern?: string;
+}
+
+export interface PatternCapture {
+  name?: string;
+  patterns?: Pattern[];
+}
+
+export type ExtendedMatchType = string | Record<string, string>;

extensions/ql-vscode/gulpfile.ts/textmate.ts

@@ -2,7 +2,13 @@ import { dest, src } from "gulp";
 import { load } from "js-yaml";
 import { obj } from "through2";
 import PluginError from "plugin-error";
-import * as Vinyl from "vinyl";
+import type Vinyl from "vinyl";
+import type {
+  ExtendedMatchType,
+  ExtendedTextmateGrammar,
+  Pattern,
+  TextmateGrammar,
+} from "./textmate-grammar";
 
 /**
  * Replaces all rule references with the match pattern of the referenced rule.
@@ -34,7 +40,9 @@ function replaceReferencesWithStrings(
  * @param yaml The root of the YAML document.
  * @returns A map from macro name to replacement text.
  */
-function gatherMacros(yaml: any): Map<string, string> {
+function gatherMacros<T>(
+  yaml: ExtendedTextmateGrammar<T>,
+): Map<string, string> {
   const macros = new Map<string, string>();
   for (const key in yaml.macros) {
     macros.set(key, yaml.macros[key]);
@@ -51,7 +59,7 @@ function gatherMacros(yaml: any): Map<string, string> {
  * @returns The match text for the rule. This is either the value of the rule's `match` property,
  *  or the disjunction of the match text of all of the other rules `include`d by this rule.
  */
-function getNodeMatchText(rule: any): string {
+function getNodeMatchText(rule: Pattern): string {
   if (rule.match !== undefined) {
     // For a match string, just use that string as the replacement.
     return rule.match;
@@ -78,7 +86,7 @@ function getNodeMatchText(rule: any): string {
  * @returns A map whose keys are the names of rules, and whose values are the corresponding match
  *  text of each rule.
  */
-function gatherMatchTextForRules(yaml: any): Map<string, string> {
+function gatherMatchTextForRules(yaml: TextmateGrammar): Map<string, string> {
   const replacements = new Map<string, string>();
   for (const key in yaml.repository) {
     const node = yaml.repository[key];
@@ -94,9 +102,14 @@ function gatherMatchTextForRules(yaml: any): Map<string, string> {
  * @param yaml The root of the YAML document.
  * @param action Callback to invoke on each rule.
  */
-function visitAllRulesInFile(yaml: any, action: (rule: any) => void) {
+function visitAllRulesInFile<T>(
+  yaml: ExtendedTextmateGrammar<T>,
+  action: (rule: Pattern<T>) => void,
+) {
   visitAllRulesInRuleMap(yaml.patterns, action);
-  visitAllRulesInRuleMap(yaml.repository, action);
+  if (yaml.repository) {
+    visitAllRulesInRuleMap(Object.values(yaml.repository), action);
+  }
 }
 
 /**
@@ -107,9 +120,11 @@ function visitAllRulesInFile(yaml: any, action: (rule: any) => void) {
  * @param ruleMap The map or array of rules to visit.
  * @param action Callback to invoke on each rule.
  */
-function visitAllRulesInRuleMap(ruleMap: any, action: (rule: any) => void) {
-  for (const key in ruleMap) {
-    const rule = ruleMap[key];
+function visitAllRulesInRuleMap<T>(
+  ruleMap: Array<Pattern<T>>,
+  action: (rule: Pattern<T>) => void,
+) {
+  for (const rule of ruleMap) {
     if (typeof rule === "object") {
       action(rule);
       if (rule.patterns !== undefined) {
@@ -125,16 +140,22 @@ function visitAllRulesInRuleMap(ruleMap: any, action: (rule: any) => void) {
  * @param rule The rule whose matches are to be transformed.
  * @param action The transformation to make on each match pattern.
  */
-function visitAllMatchesInRule(rule: any, action: (match: any) => any) {
+function visitAllMatchesInRule<T>(rule: Pattern<T>, action: (match: T) => T) {
   for (const key in rule) {
     switch (key) {
       case "begin":
       case "end":
       case "match":
-      case "while":
-        rule[key] = action(rule[key]);
-        break;
+      case "while": {
+        const ruleElement = rule[key];
 
+        if (!ruleElement) {
+          continue;
+        }
+
+        rule[key] = action(ruleElement);
+        break;
+      }
       default:
         break;
     }
@@ -148,14 +169,17 @@ function visitAllMatchesInRule(rule: any, action: (match: any) => any) {
  * @param rule Rule to be transformed.
  * @param key Base key of the property to be transformed.
  */
-function expandPatternMatchProperties(rule: any, key: "begin" | "end") {
-  const patternKey = `${key}Pattern`;
-  const capturesKey = `${key}Captures`;
+function expandPatternMatchProperties<T>(
+  rule: Pattern<T>,
+  key: "begin" | "end",
+) {
+  const patternKey = `${key}Pattern` as const;
+  const capturesKey = `${key}Captures` as const;
   const pattern = rule[patternKey];
   if (pattern !== undefined) {
     const patterns: string[] = Array.isArray(pattern) ? pattern : [pattern];
-    rule[key] = patterns.map((p) => `((?${p}))`).join("|");
-    const captures: { [index: string]: any } = {};
+    rule[key] = patterns.map((p) => `((?${p}))`).join("|") as T;
+    const captures: Pattern["captures"] = {};
     for (const patternIndex in patterns) {
       captures[(Number(patternIndex) + 1).toString()] = {
         patterns: [
@@ -175,7 +199,7 @@ function expandPatternMatchProperties(rule: any, key: "begin" | "end") {
  *
  * @param yaml The root of the YAML document.
  */
-function transformFile(yaml: any) {
+function transformFile(yaml: ExtendedTextmateGrammar<ExtendedMatchType>) {
   const macros = gatherMacros(yaml);
   visitAllRulesInFile(yaml, (rule) => {
     expandPatternMatchProperties(rule, "begin");
@@ -198,24 +222,29 @@ function transformFile(yaml: any) {
 
   yaml.macros = undefined;
 
-  const replacements = gatherMatchTextForRules(yaml);
+  // We have removed all object match properties, so we don't have an extended match type anymore.
+  const macrolessYaml = yaml as ExtendedTextmateGrammar;
+
+  const replacements = gatherMatchTextForRules(macrolessYaml);
   // Expand references in matches.
-  visitAllRulesInFile(yaml, (rule) => {
+  visitAllRulesInFile(macrolessYaml, (rule) => {
     visitAllMatchesInRule(rule, (match) => {
       return replaceReferencesWithStrings(match, replacements);
     });
   });
 
-  if (yaml.regexOptions !== undefined) {
-    const regexOptions = `(?${yaml.regexOptions})`;
-    visitAllRulesInFile(yaml, (rule) => {
+  if (macrolessYaml.regexOptions !== undefined) {
+    const regexOptions = `(?${macrolessYaml.regexOptions})`;
+    visitAllRulesInFile(macrolessYaml, (rule) => {
       visitAllMatchesInRule(rule, (match) => {
         return regexOptions + match;
       });
     });
 
-    yaml.regexOptions = undefined;
+    macrolessYaml.regexOptions = undefined;
   }
+
+  return macrolessYaml;
 }
 
 export function transpileTextMateGrammar() {
@@ -230,8 +259,8 @@ export function transpileTextMateGrammar() {
       } else if (file.isBuffer()) {
         const buf: Buffer = file.contents;
         const yamlText: string = buf.toString("utf8");
-        const jsonData: any = load(yamlText);
-        transformFile(jsonData);
+        const yamlData = load(yamlText) as TextmateGrammar;
+        const jsonData = transformFile(yamlData);
 
         file.contents = Buffer.from(JSON.stringify(jsonData, null, 2), "utf8");
         file.extname = ".json";

extensions/ql-vscode/gulpfile.ts/typescript.ts

@@ -1,10 +1,11 @@
 import { gray, red } from "ansi-colors";
 import { dest, src, watch } from "gulp";
 import esbuild from "gulp-esbuild";
-import ts from "gulp-typescript";
+import type { reporter } from "gulp-typescript";
+import { createProject } from "gulp-typescript";
 import del from "del";
 
-function goodReporter(): ts.reporter.Reporter {
+export function goodReporter(): reporter.Reporter {
   return {
     error: (error, typescript) => {
       if (error.tsFile) {
@@ -27,7 +28,7 @@ function goodReporter(): ts.reporter.Reporter {
   };
 }
 
-const tsProject = ts.createProject("tsconfig.json");
+const tsProject = createProject("tsconfig.json");
 
 export function cleanOutput() {
   return tsProject.projectDirectory
@@ -56,7 +57,7 @@ export function compileEsbuild() {
 }
 
 export function watchEsbuild() {
-  watch("src/**/*.ts", compileEsbuild);
+  watch(["src/**/*.ts", "!src/view/**/*.ts"], compileEsbuild);
 }
 
 export function checkTypeScript() {
@@ -66,7 +67,7 @@ export function checkTypeScript() {
 }
 
 export function watchCheckTypeScript() {
-  watch("src/**/*.ts", checkTypeScript);
+  watch(["src/**/*.ts", "!src/view/**/*.ts"], checkTypeScript);
 }
 
 export function copyWasmFiles() {

extensions/ql-vscode/gulpfile.ts/view.ts

@@ -0,0 +1,42 @@
+import { dest, src, watch } from "gulp";
+import esbuild from "gulp-esbuild";
+import { createProject } from "gulp-typescript";
+import { goodReporter } from "./typescript";
+
+import chromiumVersion from "./chromium-version.json";
+
+const tsProject = createProject("src/view/tsconfig.json");
+
+export function compileViewEsbuild() {
+  return src("./src/view/webview.tsx")
+    .pipe(
+      esbuild({
+        outfile: "webview.js",
+        bundle: true,
+        format: "iife",
+        platform: "browser",
+        target: `chrome${chromiumVersion.chromiumVersion}`,
+        jsx: "automatic",
+        sourcemap: "linked",
+        sourceRoot: "..",
+        loader: {
+          ".ttf": "file",
+        },
+      }),
+    )
+    .pipe(dest("out"));
+}
+
+export function watchViewEsbuild() {
+  watch(["src/**/*.{ts,tsx}"], compileViewEsbuild);
+}
+
+export function checkViewTypeScript() {
+  // This doesn't actually output the TypeScript files, it just
+  // runs the TypeScript compiler and reports any errors.
+  return tsProject.src().pipe(tsProject(goodReporter()));
+}
+
+export function watchViewCheckTypeScript() {
+  watch(["src/**/*.{ts,tsx}"], checkViewTypeScript);
+}

extensions/ql-vscode/gulpfile.ts/webpack.config.ts

@@ -1,73 +0,0 @@
-import { resolve } from "path";
-import * as webpack from "webpack";
-import MiniCssExtractPlugin from "mini-css-extract-plugin";
-import { isDevBuild } from "./dev";
-
-export const config: webpack.Configuration = {
-  mode: isDevBuild ? "development" : "production",
-  entry: {
-    webview: "./src/view/webview.tsx",
-  },
-  output: {
-    path: resolve(__dirname, "..", "out"),
-    filename: "[name].js",
-  },
-  devtool: isDevBuild ? "inline-source-map" : "source-map",
-  resolve: {
-    extensions: [".js", ".ts", ".tsx", ".json"],
-  },
-  module: {
-    rules: [
-      {
-        test: /\.(ts|tsx)$/,
-        loader: "ts-loader",
-        options: {
-          configFile: "src/view/tsconfig.json",
-        },
-      },
-      {
-        test: /\.less$/,
-        use: [
-          MiniCssExtractPlugin.loader,
-          {
-            loader: "css-loader",
-            options: {
-              importLoaders: 1,
-              sourceMap: true,
-            },
-          },
-          {
-            loader: "less-loader",
-            options: {
-              javascriptEnabled: true,
-              sourceMap: true,
-            },
-          },
-        ],
-      },
-      {
-        test: /\.css$/,
-        use: [
-          MiniCssExtractPlugin.loader,
-          {
-            loader: "css-loader",
-            options: {
-              sourceMap: true,
-            },
-          },
-        ],
-      },
-      {
-        test: /\.(woff(2)?|ttf|eot)$/,
-        type: "asset/resource",
-        generator: {
-          filename: "fonts/[hash][ext][query]",
-        },
-      },
-    ],
-  },
-  performance: {
-    hints: false,
-  },
-  plugins: [new MiniCssExtractPlugin()],
-};

extensions/ql-vscode/gulpfile.ts/webpack.ts

@@ -1,57 +0,0 @@
-import webpack from "webpack";
-import { config } from "./webpack.config";
-
-export function compileView(cb: (err?: Error) => void) {
-  doWebpack(config, true, cb);
-}
-
-export function watchView(cb: (err?: Error) => void) {
-  const watchConfig = {
-    ...config,
-    watch: true,
-    watchOptions: {
-      aggregateTimeout: 200,
-      poll: 1000,
-    },
-  };
-  doWebpack(watchConfig, false, cb);
-}
-
-function doWebpack(
-  internalConfig: webpack.Configuration,
-  failOnError: boolean,
-  cb: (err?: Error) => void,
-) {
-  const resultCb = (error: Error | undefined, stats?: webpack.Stats) => {
-    if (error) {
-      cb(error);
-    }
-    if (stats) {
-      console.log(
-        stats.toString({
-          errorDetails: true,
-          colors: true,
-          assets: false,
-          builtAt: false,
-          version: false,
-          hash: false,
-          entrypoints: false,
-          timings: false,
-          modules: false,
-          errors: true,
-        }),
-      );
-      if (stats.hasErrors()) {
-        if (failOnError) {
-          cb(new Error("Compilation errors detected."));
-          return;
-        } else {
-          console.error("Compilation errors detected.");
-        }
-      }
-      cb();
-    }
-  };
-
-  webpack(internalConfig, resultCb);
-}

extensions/ql-vscode/jest.config.js

@@ -4,6 +4,7 @@
  */
 
 /** @type {import('@jest/types').Config.InitialOptions} */
+// eslint-disable-next-line import/no-commonjs
 module.exports = {
   projects: [
     "<rootDir>/src/view",

extensions/ql-vscode/package.json

@@ -4,7 +4,7 @@
   "description": "CodeQL for Visual Studio Code",
   "author": "GitHub",
   "private": true,
-  "version": "1.10.0",
+  "version": "1.12.3",
   "publisher": "GitHub",
   "license": "MIT",
   "icon": "media/VS-marketplace-CodeQL-icon.png",
@@ -14,14 +14,14 @@
   },
   "engines": {
     "vscode": "^1.82.0",
-    "node": "^18.15.0",
+    "node": "^18.17.1",
     "npm": ">=7.20.6"
   },
   "categories": [
     "Programming Languages"
   ],
   "extensionDependencies": [
-    "hbenl.vscode-test-explorer"
+    "vscode.git"
   ],
   "capabilities": {
     "untrustedWorkspaces": {
@@ -38,7 +38,8 @@
     "onWebviewPanel:resultsView",
     "onWebviewPanel:codeQL.variantAnalysis",
     "onWebviewPanel:codeQL.dataFlowPaths",
-    "onFileSystem:codeql-zip-archive"
+    "onFileSystem:codeql-zip-archive",
+    "workspaceContains:.git"
   ],
   "main": "./out/extension",
   "files": [
@@ -177,6 +178,11 @@
             "type": "string",
             "default": "",
             "markdownDescription": "Path to the CodeQL executable that should be used by the CodeQL extension. The executable is named `codeql` on Linux/Mac and `codeql.exe` on Windows. If empty, the extension will look for a CodeQL executable on your shell PATH, or if CodeQL is not on your PATH, download and manage its own CodeQL executable (note: if you later introduce CodeQL on your PATH, the extension will prefer a CodeQL executable it has downloaded itself)."
+          },
+          "codeQL.cli.downloadTimeout": {
+            "type": "integer",
+            "default": 10,
+            "description": "Download timeout in seconds for downloading the CLI distribution."
           }
         }
       },
@@ -375,6 +381,11 @@
         "title": "Adding databases",
         "order": 6,
         "properties": {
+          "codeQL.addingDatabases.downloadTimeout": {
+            "type": "integer",
+            "default": 10,
+            "description": "Download timeout in seconds for adding a CodeQL database."
+          },
           "codeQL.addingDatabases.allowHttp": {
             "type": "boolean",
             "default": false,
@@ -419,8 +430,41 @@
       },
       {
         "type": "object",
-        "title": "Log insights",
+        "title": "GitHub Databases",
         "order": 8,
+        "properties": {
+          "codeQL.githubDatabase.download": {
+            "type": "string",
+            "default": "ask",
+            "enum": [
+              "ask",
+              "never"
+            ],
+            "enumDescriptions": [
+              "Ask to download a GitHub database when a workspace is opened.",
+              "Never download a GitHub databases when a workspace is opened."
+            ],
+            "description": "Ask to download a GitHub database when a workspace is opened."
+          },
+          "codeQL.githubDatabase.update": {
+            "type": "string",
+            "default": "ask",
+            "enum": [
+              "ask",
+              "never"
+            ],
+            "enumDescriptions": [
+              "Ask to download an updated GitHub database when a new version is available.",
+              "Never download an updated GitHub database when a new version is available."
+            ],
+            "description": "Ask to download an updated GitHub database when a new version is available."
+          }
+        }
+      },
+      {
+        "type": "object",
+        "title": "Log insights",
+        "order": 9,
         "properties": {
           "codeQL.logInsights.joinOrderWarningThreshold": {
             "type": "number",
@@ -434,7 +478,7 @@
       {
         "type": "object",
         "title": "Telemetry",
-        "order": 9,
+        "order": 10,
         "properties": {
           "codeQL.telemetry.enableTelemetry": {
             "type": "boolean",
@@ -511,6 +555,14 @@
         "command": "codeQL.runVariantAnalysisContextEditor",
         "title": "CodeQL: Run Variant Analysis"
       },
+      {
+        "command": "codeQL.runVariantAnalysisContextExplorer",
+        "title": "CodeQL: Run Variant Analysis"
+      },
+      {
+        "command": "codeQL.runVariantAnalysisPublishedPack",
+        "title": "CodeQL: Run Variant Analysis against published pack"
+      },
       {
         "command": "codeQL.exportSelectedVariantAnalysisResults",
         "title": "CodeQL: Export Variant Analysis Results"
@@ -1287,6 +1339,11 @@
           "group": "9_qlCommands",
           "when": "resourceScheme != codeql-zip-archive"
         },
+        {
+          "command": "codeQL.runVariantAnalysisContextExplorer",
+          "group": "9_qlCommands",
+          "when": "resourceExtname == .ql && config.codeQL.canary && config.codeQL.variantAnalysis.multiQuery"
+        },
         {
           "command": "codeQL.openReferencedFileContextExplorer",
           "group": "9_qlCommands",
@@ -1363,6 +1420,14 @@
           "command": "codeQL.runVariantAnalysis",
           "when": "editorLangId == ql && resourceExtname == .ql"
         },
+        {
+          "command": "codeQL.runVariantAnalysisContextExplorer",
+          "when": "false"
+        },
+        {
+          "command": "codeQL.runVariantAnalysisPublishedPack",
+          "when": "config.codeQL.canary && config.codeQL.variantAnalysis.multiQuery"
+        },
         {
           "command": "codeQL.runVariantAnalysisContextEditor",
           "when": "false"
@@ -1377,7 +1442,7 @@
         },
         {
           "command": "codeQL.quickEvalCount",
-          "when": "editorLangId == ql && codeql.supportsQuickEvalCount"
+          "when": "editorLangId == ql"
         },
         {
           "command": "codeQL.quickEvalContextEditor",
@@ -1800,15 +1865,14 @@
         {
           "id": "codeQLMethodModeling",
           "type": "webview",
-          "name": "CodeQL Method Modeling",
-          "when": "config.codeQL.canary"
+          "name": "CodeQL Method Modeling"
         }
       ],
       "codeql-methods-usage": [
         {
           "id": "codeQLMethodsUsage",
           "name": "CodeQL Methods Usage",
-          "when": "config.codeQL.canary && codeql.modelEditorOpen"
+          "when": "codeql.modelEditorOpen"
         }
       ]
     },
@@ -1868,74 +1932,72 @@
     "lint:scenarios": "ts-node scripts/lint-scenarios.ts",
     "generate": "npm-run-all -p generate:*",
     "generate:schemas": "ts-node scripts/generate-schemas.ts",
+    "generate:chromium-version": "ts-node scripts/generate-chromium-version.ts",
     "check-types": "find . -type f -name \"tsconfig.json\" -not -path \"./node_modules/*\" | sed -r 's|/[^/]+$||' | sort | uniq | xargs -I {} sh -c \"echo Checking types in {} && cd {} && npx tsc --noEmit\"",
     "postinstall": "patch-package",
     "prepare": "cd ../.. && husky install"
   },
   "dependencies": {
+    "@floating-ui/react": "^0.26.9",
     "@octokit/plugin-retry": "^6.0.1",
     "@octokit/rest": "^20.0.2",
-    "@vscode/codicons": "^0.0.31",
+    "@vscode/codicons": "^0.0.35",
     "@vscode/debugadapter": "^1.59.0",
     "@vscode/debugprotocol": "^1.59.0",
     "@vscode/webview-ui-toolkit": "^1.0.1",
     "ajv": "^8.11.0",
     "child-process-promise": "^2.2.1",
-    "chokidar": "^3.5.3",
-    "classnames": "^2.2.6",
+    "chokidar": "^3.6.0",
     "d3": "^7.6.1",
     "d3-graphviz": "^5.0.2",
     "fs-extra": "^11.1.1",
-    "immutable": "^4.0.0",
     "js-yaml": "^4.1.0",
-    "msw": "^2.0.0",
+    "msw": "^2.0.13",
     "nanoid": "^5.0.1",
     "node-fetch": "^2.6.7",
-    "p-queue": "^7.4.1",
+    "p-queue": "^8.0.1",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
-    "semver": "^7.5.2",
+    "semver": "^7.6.0",
     "source-map": "^0.7.4",
     "source-map-support": "^0.5.21",
     "stream-json": "^1.7.3",
-    "styled-components": "^6.0.2",
-    "tmp": "^0.1.0",
+    "styled-components": "^6.1.8",
+    "tmp": "^0.2.1",
     "tmp-promise": "^3.0.2",
     "tree-kill": "^1.2.2",
-    "unzipper": "^0.10.5",
     "vscode-extension-telemetry": "^0.1.6",
     "vscode-jsonrpc": "^8.0.2",
     "vscode-languageclient": "^8.0.2",
-    "vscode-test-adapter-api": "^1.7.0",
-    "vscode-test-adapter-util": "^0.7.0",
-    "zip-a-folder": "^3.1.3"
+    "yauzl": "^2.10.0",
+    "zip-a-folder": "^3.1.6"
   },
   "devDependencies": {
     "@babel/core": "^7.18.13",
     "@babel/plugin-transform-modules-commonjs": "^7.18.6",
-    "@babel/preset-env": "^7.21.4",
+    "@babel/preset-env": "^7.23.9",
     "@babel/preset-react": "^7.18.6",
     "@babel/preset-typescript": "^7.21.4",
-    "@faker-js/faker": "^8.0.2",
-    "@github/markdownlint-github": "^0.3.0",
+    "@faker-js/faker": "^8.4.1",
+    "@github/markdownlint-github": "^0.6.0",
     "@octokit/plugin-throttling": "^8.0.0",
-    "@storybook/addon-a11y": "^7.4.6",
+    "@playwright/test": "^1.40.1",
+    "@storybook/addon-a11y": "^7.6.15",
     "@storybook/addon-actions": "^7.1.0",
     "@storybook/addon-essentials": "^7.1.0",
     "@storybook/addon-interactions": "^7.1.0",
     "@storybook/addon-links": "^7.1.0",
-    "@storybook/components": "^7.1.0",
+    "@storybook/components": "^7.6.17",
     "@storybook/csf": "^0.1.1",
-    "@storybook/manager-api": "^7.1.0",
+    "@storybook/manager-api": "^7.6.7",
     "@storybook/react": "^7.1.0",
-    "@storybook/react-webpack5": "^7.1.0",
-    "@storybook/theming": "^7.1.0",
-    "@testing-library/dom": "^9.3.0",
-    "@testing-library/jest-dom": "^6.0.0",
-    "@testing-library/react": "^14.0.0",
-    "@testing-library/user-event": "^14.4.3",
+    "@storybook/react-webpack5": "^7.6.12",
+    "@storybook/theming": "^7.6.12",
+    "@testing-library/dom": "^9.3.4",
+    "@testing-library/jest-dom": "^6.4.2",
+    "@testing-library/react": "^14.2.1",
+    "@testing-library/user-event": "^14.5.2",
     "@types/child-process-promise": "^2.2.1",
-    "@types/classnames": "^2.2.9",
     "@types/d3": "^7.4.0",
     "@types/d3-graphviz": "^2.6.6",
     "@types/del": "^4.0.0",
@@ -1945,45 +2007,46 @@
     "@types/jest": "^29.0.2",
     "@types/js-yaml": "^4.0.6",
     "@types/nanoid": "^3.0.0",
-    "@types/node": "18.15.0",
+    "@types/node": "18.17.*",
     "@types/node-fetch": "^2.5.2",
     "@types/react": "^18.0.28",
-    "@types/react-dom": "^18.0.11",
+    "@types/react-dom": "^18.2.18",
     "@types/sarif": "^2.1.2",
     "@types/semver": "^7.2.0",
     "@types/stream-json": "^1.7.1",
     "@types/styled-components": "^5.1.11",
-    "@types/tar-stream": "^2.2.2",
+    "@types/tar-stream": "^3.1.3",
     "@types/through2": "^2.0.36",
-    "@types/tmp": "^0.1.0",
+    "@types/tmp": "^0.2.6",
     "@types/unzipper": "^0.10.1",
     "@types/vscode": "^1.82.0",
-    "@types/webpack": "^5.28.0",
-    "@types/webpack-env": "^1.18.0",
-    "@typescript-eslint/eslint-plugin": "^6.2.1",
-    "@typescript-eslint/parser": "^6.2.1",
+    "@types/yauzl": "^2.10.3",
+    "@typescript-eslint/eslint-plugin": "^6.19.0",
+    "@typescript-eslint/parser": "^6.21.0",
     "@vscode/test-electron": "^2.2.0",
     "@vscode/vsce": "^2.19.0",
     "ansi-colors": "^4.1.1",
-    "applicationinsights": "^2.3.5",
-    "cosmiconfig": "^8.2.0",
+    "applicationinsights": "^2.9.2",
+    "cosmiconfig": "^9.0.0",
     "cross-env": "^7.0.3",
-    "css-loader": "^6.8.1",
+    "css-loader": "^6.10.0",
     "del": "^6.0.0",
-    "esbuild": "^0.15.15",
-    "eslint": "^8.23.1",
+    "eslint": "^8.56.0",
     "eslint-config-prettier": "^9.0.0",
+    "eslint-import-resolver-typescript": "^3.6.1",
+    "eslint-plugin-deprecation": "^2.0.0",
     "eslint-plugin-etc": "^2.0.2",
     "eslint-plugin-github": "^4.4.1",
+    "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-jest-dom": "^5.0.1",
-    "eslint-plugin-prettier": "^5.0.0",
+    "eslint-plugin-prettier": "^5.1.3",
     "eslint-plugin-react": "^7.31.8",
     "eslint-plugin-react-hooks": "^4.6.0",
     "eslint-plugin-storybook": "^0.6.4",
     "file-loader": "^6.2.0",
     "glob": "^10.0.0",
     "gulp": "^4.0.2",
-    "gulp-esbuild": "^0.10.5",
+    "gulp-esbuild": "^0.12.0",
     "gulp-replace": "^1.1.3",
     "gulp-typescript": "^5.0.1",
     "husky": "^8.0.0",
@@ -1991,13 +2054,13 @@
     "jest-environment-jsdom": "^29.0.3",
     "jest-runner-vscode": "^3.0.1",
     "lint-staged": "^15.0.2",
-    "markdownlint-cli2": "^0.6.0",
-    "markdownlint-cli2-formatter-pretty": "^0.0.4",
-    "mini-css-extract-plugin": "^2.6.1",
+    "markdownlint-cli2": "^0.12.1",
+    "markdownlint-cli2-formatter-pretty": "^0.0.5",
+    "mini-css-extract-plugin": "^2.8.0",
     "npm-run-all": "^4.1.5",
     "patch-package": "^8.0.0",
-    "prettier": "^3.0.0",
-    "storybook": "^7.1.0",
+    "prettier": "^3.2.5",
+    "storybook": "^7.6.15",
     "tar-stream": "^3.0.0",
     "through2": "^4.0.2",
     "ts-jest": "^29.0.1",
@@ -2005,9 +2068,7 @@
     "ts-loader": "^9.4.2",
     "ts-node": "^10.7.0",
     "ts-unused-exports": "^10.0.0",
-    "typescript": "^5.0.2",
-    "webpack": "^5.76.0",
-    "webpack-cli": "^5.0.1"
+    "typescript": "^5.0.2"
   },
   "lint-staged": {
     "./**/*.{json,css,scss}": [

extensions/ql-vscode/scripts/add-fields-to-scenarios.ts

@@ -14,15 +14,16 @@
 import { pathExists, readJson, writeJson } from "fs-extra";
 import { resolve, relative } from "path";
 
-import { Octokit } from "@octokit/core";
-import { type RestEndpointMethodTypes } from "@octokit/rest";
+import type { Octokit } from "@octokit/core";
+import type { EndpointDefaults } from "@octokit/types";
+import type { RestEndpointMethodTypes } from "@octokit/rest";
 import { throttling } from "@octokit/plugin-throttling";
 
 import { getFiles } from "./util/files";
 import type { GitHubApiRequest } from "../src/common/mock-gh-api/gh-api-request";
 import { isGetVariantAnalysisRequest } from "../src/common/mock-gh-api/gh-api-request";
-import { VariantAnalysis } from "../src/variant-analysis/gh-api/variant-analysis";
-import { RepositoryWithMetadata } from "../src/variant-analysis/gh-api/repository";
+import type { VariantAnalysis } from "../src/variant-analysis/gh-api/variant-analysis";
+import type { RepositoryWithMetadata } from "../src/variant-analysis/gh-api/repository";
 import { AppOctokit } from "../src/common/octokit";
 
 const extensionDirectory = resolve(__dirname, "..");
@@ -42,7 +43,7 @@ const octokit = new MyOctokit({
   throttle: {
     onRateLimit: (
       retryAfter: number,
-      options: any,
+      options: EndpointDefaults,
       octokit: Octokit,
     ): boolean => {
       octokit.log.warn(
@@ -53,7 +54,7 @@ const octokit = new MyOctokit({
     },
     onSecondaryRateLimit: (
       _retryAfter: number,
-      options: any,
+      options: EndpointDefaults,
       octokit: Octokit,
     ): void => {
       octokit.log.warn(

extensions/ql-vscode/scripts/find-deadcode.ts

@@ -9,12 +9,13 @@ function ignoreFile(file: string): boolean {
     containsPath(".storybook", file) ||
     containsPath(join("src", "stories"), file) ||
     pathsEqual(
-      join("test", "vscode-tests", "jest-runner-installed-extensions.ts"),
+      join("test", "vscode-tests", "jest-runner-vscode-codeql-cli.ts"),
       file,
     ) ||
     basename(file) === "jest.config.ts" ||
     basename(file) === "index.tsx" ||
-    basename(file) === "index.ts"
+    basename(file) === "index.ts" ||
+    basename(file) === "playwright.config.ts"
   );
 }
 

extensions/ql-vscode/scripts/generate-chromium-version.ts

@@ -0,0 +1,42 @@
+import { join, resolve } from "path";
+import { outputFile, readJSON } from "fs-extra";
+import { minVersion } from "semver";
+import { getVersionInformation } from "./util/vscode-versions";
+
+const extensionDirectory = resolve(__dirname, "..");
+
+async function generateChromiumVersion() {
+  const packageJson = await readJSON(
+    resolve(extensionDirectory, "package.json"),
+  );
+
+  const minimumVsCodeVersion = minVersion(packageJson.engines.vscode)?.version;
+  if (!minimumVsCodeVersion) {
+    throw new Error("Could not find minimum VS Code version");
+  }
+
+  const versionInformation = await getVersionInformation(minimumVsCodeVersion);
+
+  const chromiumMajorVersion = versionInformation.chromiumVersion.split(".")[0];
+
+  console.log(
+    `VS Code ${minimumVsCodeVersion} uses Chromium ${chromiumMajorVersion}`,
+  );
+
+  await outputFile(
+    join(extensionDirectory, "gulpfile.ts", "chromium-version.json"),
+    `${JSON.stringify(
+      {
+        chromiumVersion: chromiumMajorVersion,
+        electronVersion: versionInformation.electronVersion,
+      },
+      null,
+      2,
+    )}\n`,
+  );
+}
+
+generateChromiumVersion().catch((e: unknown) => {
+  console.error(e);
+  process.exit(2);
+});

extensions/ql-vscode/scripts/generate-schemas.ts

@@ -6,6 +6,16 @@ import { format, resolveConfig } from "prettier";
 const extensionDirectory = resolve(__dirname, "..");
 
 const schemas = [
+  {
+    path: join(extensionDirectory, "src", "packaging", "qlpack-file.ts"),
+    type: "QlPackFile",
+    schemaPath: join(
+      extensionDirectory,
+      "src",
+      "packaging",
+      "qlpack-file.schema.json",
+    ),
+  },
   {
     path: join(
       extensionDirectory,

extensions/ql-vscode/scripts/source-map.ts

@@ -19,8 +19,9 @@
 import { spawnSync } from "child_process";
 import { basename, resolve } from "path";
 import { pathExists, readJSON } from "fs-extra";
-import { RawSourceMap, SourceMapConsumer } from "source-map";
-import { Open } from "unzipper";
+import type { RawSourceMap } from "source-map";
+import { SourceMapConsumer } from "source-map";
+import { unzipToDirectorySequentially } from "../src/common/unzip";
 
 if (process.argv.length !== 4) {
   console.error(
@@ -78,10 +79,10 @@ async function extractSourceMap() {
         releaseAssetsDirectory,
       ]);
 
-      const file = await Open.file(
+      await unzipToDirectorySequentially(
         resolve(releaseAssetsDirectory, sourcemapAsset.name),
+        sourceMapsDirectory,
       );
-      await file.extract({ path: sourceMapsDirectory });
     } else {
       const workflowRuns = runGhJSON<WorkflowRunListItem[]>([
         "run",
@@ -242,7 +243,7 @@ type WorkflowRunListItem = {
 async function replaceAsync(
   str: string,
   regex: RegExp,
-  replacer: (substring: string, ...args: any[]) => Promise<string>,
+  replacer: (substring: string, ...args: string[]) => Promise<string>,
 ) {
   const promises: Array<Promise<string>> = [];
   str.replace(regex, (match, ...args) => {

extensions/ql-vscode/scripts/update-node-version.ts

@@ -0,0 +1,87 @@
+import { join, resolve } from "path";
+import { execSync } from "child_process";
+import { outputFile, readFile, readJSON } from "fs-extra";
+import { getVersionInformation } from "./util/vscode-versions";
+import { fetchJson } from "./util/fetch";
+
+const extensionDirectory = resolve(__dirname, "..");
+
+interface Release {
+  tag_name: string;
+}
+
+async function updateNodeVersion() {
+  const latestVsCodeRelease = await fetchJson<Release>(
+    "https://api.github.com/repos/microsoft/vscode/releases/latest",
+  );
+  const latestVsCodeVersion = latestVsCodeRelease.tag_name;
+
+  console.log(`Latest VS Code version is ${latestVsCodeVersion}`);
+
+  const versionInformation = await getVersionInformation(latestVsCodeVersion);
+  console.log(
+    `VS Code ${versionInformation.vscodeVersion} uses Electron ${versionInformation.electronVersion} and Node ${versionInformation.nodeVersion}`,
+  );
+
+  let currentNodeVersion = (
+    await readFile(join(extensionDirectory, ".nvmrc"), "utf8")
+  ).trim();
+  if (currentNodeVersion.startsWith("v")) {
+    currentNodeVersion = currentNodeVersion.slice(1);
+  }
+
+  if (currentNodeVersion === versionInformation.nodeVersion) {
+    console.log("Node version is already up to date");
+    return;
+  }
+
+  console.log("Node version needs to be updated, updating now");
+
+  await outputFile(
+    join(extensionDirectory, ".nvmrc"),
+    `v${versionInformation.nodeVersion}\n`,
+  );
+
+  console.log("Updated .nvmrc");
+
+  const packageJson = await readJSON(
+    join(extensionDirectory, "package.json"),
+    "utf8",
+  );
+
+  // The @types/node version needs to match the first two parts of the Node
+  // version, e.g. if the Node version is 18.17.3, the @types/node version
+  // should be 18.17.*. This corresponds with the documentation at
+  // https://github.com/definitelytyped/definitelytyped#how-do-definitely-typed-package-versions-relate-to-versions-of-the-corresponding-library
+  // "The patch version of the type declaration package is unrelated to the library patch version. This allows
+  // Definitely Typed to safely update type declarations for the same major/minor version of a library."
+  // 18.17.* is equivalent to >=18.17.0 <18.18.0
+  const typesNodeVersion = versionInformation.nodeVersion
+    .split(".")
+    .slice(0, 2)
+    .join(".");
+
+  packageJson.engines.node = `^${versionInformation.nodeVersion}`;
+  packageJson.devDependencies["@types/node"] = `${typesNodeVersion}.*`;
+
+  await outputFile(
+    join(extensionDirectory, "package.json"),
+    `${JSON.stringify(packageJson, null, 2)}\n`,
+  );
+
+  console.log("Updated package.json, now running npm install");
+
+  execSync("npm install", { cwd: extensionDirectory, stdio: "inherit" });
+  // Always use the latest patch version of @types/node
+  execSync("npm upgrade @types/node", {
+    cwd: extensionDirectory,
+    stdio: "inherit",
+  });
+
+  console.log("Node version updated successfully");
+}
+
+updateNodeVersion().catch((e: unknown) => {
+  console.error(e);
+  process.exit(2);
+});

extensions/ql-vscode/scripts/util/fetch.ts

@@ -0,0 +1,10 @@
+export async function fetchJson<T>(url: string): Promise<T> {
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(
+      `Could not fetch ${url}: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  return (await response.json()) as T;
+}

extensions/ql-vscode/scripts/util/vscode-versions.ts

@@ -0,0 +1,70 @@
+import { minVersion } from "semver";
+import { fetchJson } from "./fetch";
+
+type VsCodePackageJson = {
+  devDependencies: {
+    electron: string;
+  };
+};
+
+async function getVsCodePackageJson(
+  version: string,
+): Promise<VsCodePackageJson> {
+  return await fetchJson(
+    `https://raw.githubusercontent.com/microsoft/vscode/${version}/package.json`,
+  );
+}
+
+interface ElectronVersion {
+  version: string;
+  date: string;
+  node: string;
+  v8: string;
+  uv: string;
+  zlib: string;
+  openssl: string;
+  modules: string;
+  chrome: string;
+  files: string[];
+  body?: string;
+  apm?: string;
+}
+
+async function getElectronReleases(): Promise<ElectronVersion[]> {
+  return await fetchJson("https://releases.electronjs.org/releases.json");
+}
+
+type VersionInformation = {
+  vscodeVersion: string;
+  electronVersion: string;
+  nodeVersion: string;
+  chromiumVersion: string;
+};
+
+export async function getVersionInformation(
+  vscodeVersion: string,
+): Promise<VersionInformation> {
+  const vsCodePackageJson = await getVsCodePackageJson(vscodeVersion);
+  const electronVersion = minVersion(
+    vsCodePackageJson.devDependencies.electron,
+  )?.version;
+  if (!electronVersion) {
+    throw new Error("Could not find Electron version");
+  }
+
+  const electronReleases = await getElectronReleases();
+
+  const electronRelease = electronReleases.find(
+    (release) => release.version === electronVersion,
+  );
+  if (!electronRelease) {
+    throw new Error(`Could not find Electron release ${electronVersion}`);
+  }
+
+  return {
+    vscodeVersion,
+    electronVersion,
+    nodeVersion: electronRelease.node,
+    chromiumVersion: electronRelease.chrome,
+  };
+}

extensions/ql-vscode/snippets.json

@@ -30,34 +30,34 @@
   "Dataflow Tracking Class": {
     "prefix": "dataflowtracking",
     "body": [
-      "class $1 extends DataFlow::Configuration {",
-      "\t$1() { this = \"$1\" }",
-      "\t",
-      "\toverride predicate isSource(DataFlow::Node node) {",
+      "module $1 implements DataFlow::ConfigSig {",
+      "\tpredicate isSource(DataFlow::Node node) {",
       "\t\t${2:none()}",
       "\t}",
-      "\t",
-      "\toverride predicate isSink(DataFlow::Node node) {",
+      "",
+      "\tpredicate isSink(DataFlow::Node node) {",
       "\t\t${3:none()}",
       "\t}",
-      "}"
+      "}",
+      "",
+      "module ${4:Flow} = DataFlow::Global<$1>;"
     ],
     "description": "Boilerplate for a dataflow tracking class"
   },
   "Taint Tracking Class": {
     "prefix": "tainttracking",
     "body": [
-      "class $1 extends TaintTracking::Configuration {",
-      "\t$1() { this = \"$1\" }",
-      "\t",
-      "\toverride predicate isSource(DataFlow::Node node) {",
+      "module $1 implements DataFlow::ConfigSig {",
+      "\tpredicate isSource(DataFlow::Node node) {",
       "\t\t${2:none()}",
       "\t}",
-      "\t",
-      "\toverride predicate isSink(DataFlow::Node node) {",
+      "",
+      "\tpredicate isSink(DataFlow::Node node) {",
       "\t\t${3:none()}",
       "\t}",
-      "}"
+      "}",
+      "",
+      "module ${4:Flow} = TaintTracking::Global<$1>;"
     ],
     "description": "Boilerplate for a taint tracking class"
   },

extensions/ql-vscode/src/additional-typings.d.ts

@@ -1,15 +0,0 @@
-/**
- * The d3 library is designed to work in both the browser and
- * node. Consequently their typings files refer to both node
- * types like `Buffer` (which don't exist in the browser), and browser
- * types like `Blob` (which don't exist in node). Instead of sticking
- * all of `dom` in `compilerOptions.lib`, it suffices just to put in a
- * stub definition of the affected types so that compilation
- * succeeds.
- */
-
-declare type RequestInit = Record<string, unknown>;
-declare type ElementTagNameMap = any;
-declare type NodeListOf<T> = Record<string, T>;
-declare type Node = Record<string, unknown>;
-declare type XMLDocument = Record<string, unknown>;

extensions/ql-vscode/src/code-tour/code-tour.ts

@@ -1,4 +1,4 @@
-import { AppCommandManager } from "../common/commands";
+import type { AppCommandManager } from "../common/commands";
 import { Uri, workspace } from "vscode";
 import { join } from "path";
 import { pathExists } from "fs-extra";

extensions/ql-vscode/src/codeql-cli/cli-command.ts

@@ -0,0 +1,62 @@
+import { execFile } from "child_process";
+import { promisify } from "util";
+
+import type { BaseLogger } from "../common/logging";
+import type { ProgressReporter } from "../common/logging/vscode";
+import {
+  getChildProcessErrorMessage,
+  getErrorMessage,
+} from "../common/helpers-pure";
+
+/**
+ * Flags to pass to all cli commands.
+ */
+export const LOGGING_FLAGS = ["-v", "--log-to-stderr"];
+
+/**
+ * Runs a CodeQL CLI command without invoking the CLI server, deserializing the output as JSON.
+ * @param codeQlPath The path to the CLI.
+ * @param command The `codeql` command to be run, provided as an array of command/subcommand names.
+ * @param commandArgs The arguments to pass to the `codeql` command.
+ * @param description Description of the action being run, to be shown in log and error messages.
+ * @param logger Logger to write command log messages, e.g. to an output channel.
+ * @param progressReporter Used to output progress messages, e.g. to the status bar.
+ * @returns A JSON object parsed from the contents of the command's stdout, if the command succeeded.
+ */
+export async function runJsonCodeQlCliCommand<OutputType>(
+  codeQlPath: string,
+  command: string[],
+  commandArgs: string[],
+  description: string,
+  logger: BaseLogger,
+  progressReporter?: ProgressReporter,
+): Promise<OutputType> {
+  // Add logging arguments first, in case commandArgs contains positional parameters.
+  const args = command.concat(LOGGING_FLAGS).concat(commandArgs);
+  const argsString = args.join(" ");
+  let stdout: string;
+  try {
+    if (progressReporter !== undefined) {
+      progressReporter.report({ message: description });
+    }
+    void logger.log(
+      `${description} using CodeQL CLI: ${codeQlPath} ${argsString}...`,
+    );
+    const result = await promisify(execFile)(codeQlPath, args);
+    void logger.log(result.stderr);
+    void logger.log("CLI command succeeded.");
+    stdout = result.stdout;
+  } catch (err) {
+    throw new Error(
+      `${description} failed: ${getChildProcessErrorMessage(err)}`,
+    );
+  }
+
+  try {
+    return JSON.parse(stdout) as OutputType;
+  } catch (err) {
+    throw new Error(
+      `Parsing output of ${description} failed: ${getErrorMessage(err)}`,
+    );
+  }
+}

extensions/ql-vscode/src/codeql-cli/cli-errors.ts

@@ -0,0 +1,102 @@
+import { asError, getErrorMessage } from "../common/helpers-pure";
+
+// https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/exit-codes
+const EXIT_CODE_USER_ERROR = 2;
+const EXIT_CODE_CANCELLED = 98;
+
+export class ExitCodeError extends Error {
+  constructor(public readonly exitCode: number | null) {
+    super(`Process exited with code ${exitCode}`);
+  }
+}
+
+export class CliError extends Error {
+  constructor(
+    message: string,
+    public readonly stderr: string | undefined,
+    public readonly cause: Error,
+    public readonly commandDescription: string,
+    public readonly commandArgs: string[],
+  ) {
+    super(message);
+  }
+}
+
+export function getCliError(
+  e: unknown,
+  stderr: string | undefined,
+  commandDescription: string,
+  commandArgs: string[],
+): CliError {
+  const error = asError(e);
+
+  if (!(error instanceof ExitCodeError) || !stderr) {
+    return formatCliErrorFallback(
+      error,
+      stderr,
+      commandDescription,
+      commandArgs,
+    );
+  }
+
+  switch (error.exitCode) {
+    case EXIT_CODE_USER_ERROR: {
+      // This is an error that we should try to format nicely
+      const fatalErrorIndex = stderr.lastIndexOf("A fatal error occurred: ");
+      if (fatalErrorIndex !== -1) {
+        return new CliError(
+          stderr.slice(fatalErrorIndex),
+          stderr,
+          error,
+          commandDescription,
+          commandArgs,
+        );
+      }
+
+      break;
+    }
+    case EXIT_CODE_CANCELLED: {
+      const cancellationIndex = stderr.lastIndexOf(
+        "Computation was cancelled: ",
+      );
+      if (cancellationIndex !== -1) {
+        return new CliError(
+          stderr.slice(cancellationIndex),
+          stderr,
+          error,
+          commandDescription,
+          commandArgs,
+        );
+      }
+
+      break;
+    }
+  }
+
+  return formatCliErrorFallback(error, stderr, commandDescription, commandArgs);
+}
+
+function formatCliErrorFallback(
+  error: Error,
+  stderr: string | undefined,
+  commandDescription: string,
+  commandArgs: string[],
+): CliError {
+  if (stderr) {
+    return new CliError(
+      stderr,
+      undefined,
+      error,
+      commandDescription,
+      commandArgs,
+    );
+  }
+
+  return new CliError(
+    getErrorMessage(error),
+    undefined,
+    error,
+    commandDescription,
+    commandArgs,
+  );
+}

extensions/ql-vscode/src/codeql-cli/cli-version.ts

@@ -1,24 +1,49 @@
-import * as semver from "semver";
-import { runCodeQlCliCommand } from "./cli";
-import { Logger } from "../common/logging";
+import type { SemVer } from "semver";
+import { parse } from "semver";
+import { runJsonCodeQlCliCommand } from "./cli-command";
+import type { Logger } from "../common/logging";
 import { getErrorMessage } from "../common/helpers-pure";
 
+interface VersionResult {
+  version: string;
+  features: CliFeatures | undefined;
+}
+
+export interface CliFeatures {
+  featuresInVersionResult?: boolean;
+  mrvaPackCreate?: boolean;
+}
+
+export interface VersionAndFeatures {
+  version: SemVer;
+  features: CliFeatures;
+}
+
 /**
  * Get the version of a CodeQL CLI.
  */
 export async function getCodeQlCliVersion(
   codeQlPath: string,
   logger: Logger,
-): Promise<semver.SemVer | undefined> {
+): Promise<VersionAndFeatures | undefined> {
   try {
-    const output: string = await runCodeQlCliCommand(
+    const output: VersionResult = await runJsonCodeQlCliCommand<VersionResult>(
       codeQlPath,
       ["version"],
-      ["--format=terse"],
+      ["--format=json"],
       "Checking CodeQL version",
       logger,
     );
-    return semver.parse(output.trim()) || undefined;
+
+    const version = parse(output.version.trim()) || undefined;
+    if (version === undefined) {
+      return undefined;
+    }
+
+    return {
+      version,
+      features: output.features ?? {},
+    };
   } catch (e) {
     // Failed to run the version command. This might happen if the cli version is _really_ old, or it is corrupted.
     // Either way, we can't determine compatibility.

extensions/ql-vscode/src/codeql-cli/cli.ts

@@ -1,40 +1,41 @@
 import { EOL } from "os";
 import { spawn } from "child-process-promise";
-import * as child_process from "child_process";
+import type { ChildProcessWithoutNullStreams } from "child_process";
+import { spawn as spawnChildProcess } from "child_process";
 import { readFile } from "fs-extra";
-import { dirname, join, delimiter } from "path";
-import * as sarif from "sarif";
+import { delimiter, dirname, join } from "path";
+import type { Log } from "sarif";
 import { SemVer } from "semver";
-import { Readable } from "stream";
+import type { Readable } from "stream";
 import tk from "tree-kill";
-import { promisify } from "util";
-import { CancellationToken, Disposable, Uri } from "vscode";
+import type { CancellationToken, Disposable, Uri } from "vscode";
 
-import {
-  BQRSInfo,
+import type {
+  BqrsInfo,
   DecodedBqrs,
   DecodedBqrsChunk,
 } from "../common/bqrs-cli-types";
-import { allowCanaryQueryServer, CliConfig } from "../config";
-import {
-  DistributionProvider,
-  FindDistributionResultKind,
-} from "./distribution";
+import type { CliConfig } from "../config";
+import type { DistributionProvider } from "./distribution";
+import { FindDistributionResultKind } from "./distribution";
 import {
   assertNever,
-  getChildProcessErrorMessage,
   getErrorMessage,
   getErrorStack,
 } from "../common/helpers-pure";
 import { walkDirectory } from "../common/files";
-import { QueryMetadata, SortDirection } from "../common/interface-types";
-import { BaseLogger, Logger } from "../common/logging";
-import { ProgressReporter } from "../common/logging/vscode";
-import { CompilationMessage } from "../query-server/legacy-messages";
+import type { QueryMetadata } from "../common/interface-types";
+import { SortDirection } from "../common/interface-types";
+import type { BaseLogger, Logger } from "../common/logging";
+import type { ProgressReporter } from "../common/logging/vscode";
 import { sarifParser } from "../common/sarif-parser";
-import { App } from "../common/app";
+import type { App } from "../common/app";
 import { QueryLanguage } from "../common/query-language";
 import { LINE_ENDINGS, splitStreamAtSeparators } from "../common/split-stream";
+import type { Position } from "../query-server/messages";
+import { LOGGING_FLAGS } from "./cli-command";
+import type { CliFeatures, VersionAndFeatures } from "./cli-version";
+import { ExitCodeError, getCliError } from "./cli-errors";
 
 /**
  * The version of the SARIF format that we are using.
@@ -46,21 +47,6 @@ const SARIF_FORMAT = "sarifv2.1.0";
  */
 const CSV_FORMAT = "csv";
 
-/**
- * Flags to pass to all cli commands.
- */
-const LOGGING_FLAGS = ["-v", "--log-to-stderr"];
-
-/**
- * The expected output of `codeql resolve library-path`.
- */
-export interface QuerySetup {
-  libraryPath: string[];
-  dbscheme: string;
-  relativeName?: string;
-  compilationCache?: string;
-}
-
 /**
  * The expected output of `codeql resolve queries --format bylanguage`.
  */
@@ -88,7 +74,7 @@ export interface DbInfo {
 /**
  * The expected output of `codeql resolve upgrades`.
  */
-export interface UpgradesInfo {
+interface UpgradesInfo {
   scripts: string[];
   finalDbscheme: string;
   matchesTarget?: boolean;
@@ -102,33 +88,33 @@ export type QlpacksInfo = { [name: string]: string[] };
 /**
  * The expected output of `codeql resolve languages`.
  */
-export type LanguagesInfo = { [name: string]: string[] };
+type LanguagesInfo = { [name: string]: string[] };
 
 /** Information about an ML model, as resolved by `codeql resolve ml-models`. */
-export type MlModelInfo = {
+type MlModelInfo = {
   checksum: string;
   path: string;
 };
 
 /** The expected output of `codeql resolve ml-models`. */
-export type MlModelsInfo = { models: MlModelInfo[] };
+type MlModelsInfo = { models: MlModelInfo[] };
 
 /** Information about a data extension predicate, as resolved by `codeql resolve extensions`. */
-export type DataExtensionResult = {
+type DataExtensionResult = {
   predicate: string;
   file: string;
   index: number;
 };
 
 /** The expected output of `codeql resolve extensions`. */
-export type ResolveExtensionsResult = {
+type ResolveExtensionsResult = {
   models: MlModelInfo[];
   data: {
     [path: string]: DataExtensionResult[];
   };
 };
 
-export type GenerateExtensiblePredicateMetadataResult = {
+type GenerateExtensiblePredicateMetadataResult = {
   // There are other properties in this object, but they are
   // not relevant for its use in the extension, so we omit them.
   extensible_predicates: Array<{
@@ -137,10 +123,20 @@ export type GenerateExtensiblePredicateMetadataResult = {
   }>;
 };
 
+type PackDownloadResult = {
+  // There are other properties in this object, but they are
+  // not relevant for its use in the extension, so we omit them.
+  packs: Array<{
+    name: string;
+    version: string;
+  }>;
+  packDir: string;
+};
+
 /**
  * The expected output of `codeql resolve qlref`.
  */
-export type QlrefInfo = { resolvedPath: string };
+type QlrefInfo = { resolvedPath: string };
 
 // `codeql bqrs interpret` requires both of these to be present or
 // both absent.
@@ -152,12 +148,38 @@ export interface SourceInfo {
 /**
  * The expected output of `codeql resolve queries`.
  */
-export type ResolvedQueries = string[];
+type ResolvedQueries = string[];
 
 /**
  * The expected output of `codeql resolve tests`.
  */
-export type ResolvedTests = string[];
+type ResolvedTests = string[];
+
+/**
+ * The severity of a compilation message for a test message.
+ */
+export enum CompilationMessageSeverity {
+  Error = "ERROR",
+  Warning = "WARNING",
+}
+
+/**
+ * A compilation message for a test message (either an error or a warning).
+ */
+export interface CompilationMessage {
+  /**
+   * The text of the message
+   */
+  message: string;
+  /**
+   * The source position associated with the message
+   */
+  position: Position;
+  /**
+   * The severity of the message
+   */
+  severity: CompilationMessageSeverity;
+}
 
 /**
  * Event fired by `codeql test run`.
@@ -187,11 +209,13 @@ interface BqrsDecodeOptions {
   entities?: string[];
 }
 
-export type OnLineCallback = (
+type OnLineCallback = (
   line: string,
 ) => Promise<string | undefined> | string | undefined;
 
-type VersionChangedListener = (newVersion: SemVer | undefined) => void;
+type VersionChangedListener = (
+  newVersionAndFeatures: VersionAndFeatures | undefined,
+) => void;
 
 /**
  * This class manages a cli server started by `codeql execute cli-server` to
@@ -201,7 +225,7 @@ type VersionChangedListener = (newVersion: SemVer | undefined) => void;
  */
 export class CodeQLCliServer implements Disposable {
   /** The process for the cli server, or undefined if one doesn't exist yet */
-  process?: child_process.ChildProcessWithoutNullStreams;
+  process?: ChildProcessWithoutNullStreams;
   /** Queue of future commands*/
   commandQueue: Array<() => void>;
   /** Whether a command is running */
@@ -209,8 +233,8 @@ export class CodeQLCliServer implements Disposable {
   /**  A buffer with a single null byte. */
   nullBuffer: Buffer;
 
-  /** Version of current cli, lazily computed by the `getVersion()` method */
-  private _version: SemVer | undefined;
+  /** Version of current cli and its supported features, lazily computed by the `getVersion()` method */
+  private _versionAndFeatures: VersionAndFeatures | undefined;
 
   private _versionChangedListeners: VersionChangedListener[] = [];
 
@@ -241,15 +265,11 @@ export class CodeQLCliServer implements Disposable {
     if (this.distributionProvider.onDidChangeDistribution) {
       this.distributionProvider.onDidChangeDistribution(() => {
         this.restartCliServer();
-        this._version = undefined;
-        this._supportedLanguages = undefined;
       });
     }
     if (this.cliConfig.onDidChangeConfiguration) {
       this.cliConfig.onDidChangeConfiguration(() => {
         this.restartCliServer();
-        this._version = undefined;
-        this._supportedLanguages = undefined;
       });
     }
   }
@@ -290,6 +310,8 @@ export class CodeQLCliServer implements Disposable {
     const callback = (): void => {
       try {
         this.killProcessIfRunning();
+        this._versionAndFeatures = undefined;
+        this._supportedLanguages = undefined;
       } finally {
         this.runNext();
       }
@@ -319,7 +341,7 @@ export class CodeQLCliServer implements Disposable {
   /**
    * Launch the cli server
    */
-  private async launchProcess(): Promise<child_process.ChildProcessWithoutNullStreams> {
+  private async launchProcess(): Promise<ChildProcessWithoutNullStreams> {
     const codeQlPath = await this.getCodeQlPath();
     const args = [];
     if (shouldDebugCliServer()) {
@@ -348,6 +370,8 @@ export class CodeQLCliServer implements Disposable {
     silent?: boolean,
   ): Promise<string> {
     const stderrBuffers: Buffer[] = [];
+    // The current buffer of stderr of a single line. To be used for logging.
+    let currentLineStderrBuffer: Buffer = Buffer.alloc(0);
     if (this.commandInProcess) {
       throw new Error("runCodeQlCliInternal called while cli was running");
     }
@@ -405,9 +429,43 @@ export class CodeQLCliServer implements Disposable {
           // Listen to stderr
           process.stderr.addListener("data", (newData: Buffer) => {
             stderrBuffers.push(newData);
+
+            if (!silent) {
+              currentLineStderrBuffer = Buffer.concat([
+                currentLineStderrBuffer,
+                newData,
+              ]);
+
+              // Print the stderr to the logger as it comes in. We need to ensure that
+              // we don't split messages on the same line, so we buffer the stderr and
+              // split it on EOLs.
+              const eolBuffer = Buffer.from(EOL);
+
+              let hasCreatedSubarray = false;
+
+              let eolIndex;
+              while (
+                (eolIndex = currentLineStderrBuffer.indexOf(eolBuffer)) !== -1
+              ) {
+                const line = currentLineStderrBuffer.subarray(0, eolIndex);
+                void this.logger.log(line.toString("utf-8"));
+                currentLineStderrBuffer = currentLineStderrBuffer.subarray(
+                  eolIndex + eolBuffer.length,
+                );
+                hasCreatedSubarray = true;
+              }
+
+              // We have created a subarray, which means that the complete original buffer is now referenced
+              // by the subarray. We need to create a new buffer to avoid memory leaks.
+              if (hasCreatedSubarray) {
+                currentLineStderrBuffer = Buffer.from(currentLineStderrBuffer);
+              }
+            }
           });
           // Listen for process exit.
-          process.addListener("close", (code) => reject(code));
+          process.addListener("close", (code) =>
+            reject(new ExitCodeError(code)),
+          );
           // Write the command followed by a null terminator.
           process.stdin.write(JSON.stringify(args), "utf8");
           process.stdin.write(this.nullBuffer);
@@ -417,28 +475,29 @@ export class CodeQLCliServer implements Disposable {
         // Make sure we remove the terminator;
         const data = fullBuffer.toString("utf8", 0, fullBuffer.length - 1);
         if (!silent) {
+          void this.logger.log(currentLineStderrBuffer.toString("utf8"));
+          currentLineStderrBuffer = Buffer.alloc(0);
           void this.logger.log("CLI command succeeded.");
         }
         return data;
       } catch (err) {
         // Kill the process if it isn't already dead.
         this.killProcessIfRunning();
+
         // Report the error (if there is a stderr then use that otherwise just report the error code or nodejs error)
-        const newError =
-          stderrBuffers.length === 0
-            ? new Error(
-                `${description} failed with args:${EOL}    ${argsString}${EOL}${err}`,
-              )
-            : new Error(
-                `${description} failed with args:${EOL}    ${argsString}${EOL}${Buffer.concat(
-                  stderrBuffers,
-                ).toString("utf8")}`,
-              );
-        newError.stack += getErrorStack(err);
-        throw newError;
+        const cliError = getCliError(
+          err,
+          stderrBuffers.length > 0
+            ? Buffer.concat(stderrBuffers).toString("utf8")
+            : undefined,
+          description,
+          args,
+        );
+        cliError.stack += getErrorStack(err);
+        throw cliError;
       } finally {
-        if (!silent) {
-          void this.logger.log(Buffer.concat(stderrBuffers).toString("utf8"));
+        if (!silent && currentLineStderrBuffer.length > 0) {
+          void this.logger.log(currentLineStderrBuffer.toString("utf8"));
         }
         // Remove the listeners we set up.
         process.stdout.removeAllListeners("data");
@@ -637,9 +696,10 @@ export class CodeQLCliServer implements Disposable {
     } = {},
   ): Promise<OutputType> {
     let args: string[] = [];
-    if (addFormat)
+    if (addFormat) {
       // Add format argument first, in case commandArgs contains positional parameters.
       args = args.concat(["--format", "json"]);
+    }
     args = args.concat(commandArgs);
     const result = await this.runCodeQlCliCommand(command, args, description, {
       progressReporter,
@@ -721,29 +781,6 @@ export class CodeQLCliServer implements Disposable {
     );
   }
 
-  /**
-   * Resolve the library path and dbscheme for a query.
-   * @param workspaces The current open workspaces
-   * @param queryPath The path to the query
-   */
-  async resolveLibraryPath(
-    workspaces: string[],
-    queryPath: string,
-    silent = false,
-  ): Promise<QuerySetup> {
-    const subcommandArgs = [
-      "--query",
-      queryPath,
-      ...this.getAdditionalPacksArg(workspaces),
-    ];
-    return await this.runJsonCodeQlCliCommand<QuerySetup>(
-      ["resolve", "library-path"],
-      subcommandArgs,
-      "Resolving library paths",
-      { silent },
-    );
-  }
-
   /**
    * Resolves the language for a query.
    * @param queryUri The URI of the query
@@ -797,6 +834,11 @@ export class CodeQLCliServer implements Disposable {
       ["resolve", "tests", "--strict-test-discovery"],
       subcommandArgs,
       "Resolving tests",
+      {
+        // This happens as part of a background process, so we don't want to
+        // spam the log with messages.
+        silent: true,
+      },
     );
   }
 
@@ -881,10 +923,9 @@ export class CodeQLCliServer implements Disposable {
     additionalPacks: string[],
     queryPath: string,
   ): Promise<MlModelsInfo> {
-    const args = (await this.cliConstraints.supportsPreciseResolveMlModels())
-      ? // use the dirname of the path so that we can handle query libraries
-        [...this.getAdditionalPacksArg(additionalPacks), dirname(queryPath)]
-      : this.getAdditionalPacksArg(additionalPacks);
+    const args =
+      // use the dirname of the path so that we can handle query libraries
+      [...this.getAdditionalPacksArg(additionalPacks), dirname(queryPath)];
     return await this.runJsonCodeQlCliCommand<MlModelsInfo>(
       ["resolve", "ml-models"],
       args,
@@ -925,11 +966,11 @@ export class CodeQLCliServer implements Disposable {
    * @param bqrsPath The path to the bqrs.
    * @param pageSize The page size to precompute offsets into the binary file for.
    */
-  async bqrsInfo(bqrsPath: string, pageSize?: number): Promise<BQRSInfo> {
+  async bqrsInfo(bqrsPath: string, pageSize?: number): Promise<BqrsInfo> {
     const subcommandArgs = (
       pageSize ? ["--paginate-rows", pageSize.toString()] : []
     ).concat(bqrsPath);
-    return await this.runJsonCodeQlCliCommand<BQRSInfo>(
+    return await this.runJsonCodeQlCliCommand<BqrsInfo>(
       ["bqrs", "info"],
       subcommandArgs,
       "Reading bqrs header",
@@ -942,8 +983,12 @@ export class CodeQLCliServer implements Disposable {
     name?: string,
   ): Promise<string> {
     const subcommandArgs = [];
-    if (target) subcommandArgs.push("--target", target);
-    if (name) subcommandArgs.push("--name", name);
+    if (target) {
+      subcommandArgs.push("--target", target);
+    }
+    if (name) {
+      subcommandArgs.push("--name", name);
+    }
     subcommandArgs.push(archivePath);
 
     return await this.runCodeQlCliCommand(
@@ -964,7 +1009,9 @@ export class CodeQLCliServer implements Disposable {
     outputDirectory?: string,
   ): Promise<string> {
     const subcommandArgs = ["--format=markdown"];
-    if (outputDirectory) subcommandArgs.push("--output", outputDirectory);
+    if (outputDirectory) {
+      subcommandArgs.push("--output", outputDirectory);
+    }
     subcommandArgs.push(pathToQhelp);
 
     return await this.runCodeQlCliCommand(
@@ -988,9 +1035,7 @@ export class CodeQLCliServer implements Disposable {
     const subcommandArgs = [
       "--format=text",
       `--end-summary=${endSummaryPath}`,
-      ...((await this.cliConstraints.supportsSourceMap())
-        ? ["--sourcemap"]
-        : []),
+      "--sourcemap",
       inputPath,
       outputPath,
     ];
@@ -1099,7 +1144,7 @@ export class CodeQLCliServer implements Disposable {
     interpretedResultsPath: string,
     sourceInfo?: SourceInfo,
     args?: string[],
-  ): Promise<sarif.Log> {
+  ): Promise<Log> {
     const additionalArgs = [
       // TODO: This flag means that we don't group interpreted results
       // by primary location. We may want to revisit whether we call
@@ -1270,12 +1315,6 @@ export class CodeQLCliServer implements Disposable {
   ): Promise<QlpacksInfo> {
     const args = this.getAdditionalPacksArg(additionalPacks);
     if (extensionPacksOnly) {
-      if (!(await this.cliConstraints.supportsQlpacksKind())) {
-        void this.logger.log(
-          "Warning: Running with extension packs is only supported by CodeQL CLI v2.12.3 or later.",
-        );
-        return {};
-      }
       args.push("--kind", "extension", "--no-recursive");
     } else if (kind) {
       args.push("--kind", kind);
@@ -1383,13 +1422,10 @@ export class CodeQLCliServer implements Disposable {
   async packAdd(dir: string, queryLanguage: QueryLanguage) {
     const args = ["--dir", dir];
     args.push(`codeql/${queryLanguage}-all`);
-    return this.runJsonCodeQlCliCommandWithAuthentication(
+    return this.runCodeQlCliCommand(
       ["pack", "add"],
       args,
       `Adding and installing ${queryLanguage} pack dependency.`,
-      {
-        addFormat: false,
-      },
     );
   }
 
@@ -1397,7 +1433,7 @@ export class CodeQLCliServer implements Disposable {
    * Downloads a specified pack.
    * @param packs The `<package-scope/name[@version]>` of the packs to download.
    */
-  async packDownload(packs: string[]) {
+  async packDownload(packs: string[]): Promise<PackDownloadResult> {
     return this.runJsonCodeQlCliCommandWithAuthentication(
       ["pack", "download"],
       packs,
@@ -1414,15 +1450,13 @@ export class CodeQLCliServer implements Disposable {
       args.push("--mode", "update");
     }
     if (workspaceFolders?.length > 0) {
-      if (await this.cliConstraints.supportsAdditionalPacksInstall()) {
-        args.push(
-          // Allow prerelease packs from the ql submodule.
-          "--allow-prerelease",
-          // Allow the use of --additional-packs argument without issueing a warning
-          "--no-strict-mode",
-          ...this.getAdditionalPacksArg(workspaceFolders),
-        );
-      }
+      args.push(
+        // Allow prerelease packs from the ql submodule.
+        "--allow-prerelease",
+        // Allow the use of --additional-packs argument without issueing a warning
+        "--no-strict-mode",
+        ...this.getAdditionalPacksArg(workspaceFolders),
+      );
     }
     return this.runJsonCodeQlCliCommandWithAuthentication(
       ["pack", "install"],
@@ -1431,16 +1465,28 @@ export class CodeQLCliServer implements Disposable {
     );
   }
 
+  /**
+   * Compile a CodeQL pack and bundle it into a single file.
+   *
+   * @param sourcePackDir The directory of the input CodeQL pack.
+   * @param workspaceFolders The workspace folders to search for additional packs.
+   * @param outputBundleFile The path to the output bundle file.
+   * @param outputPackDir The directory to contain the unbundled output pack.
+   * @param moreOptions Additional options to be passed to `codeql pack bundle`.
+   */
   async packBundle(
-    dir: string,
+    sourcePackDir: string,
     workspaceFolders: string[],
-    outputPath: string,
+    outputBundleFile: string,
+    outputPackDir: string,
     moreOptions: string[],
   ): Promise<void> {
     const args = [
       "-o",
-      outputPath,
-      dir,
+      outputBundleFile,
+      sourcePackDir,
+      "--pack-path",
+      outputPackDir,
       ...moreOptions,
       ...this.getAdditionalPacksArg(workspaceFolders),
     ];
@@ -1495,27 +1541,27 @@ export class CodeQLCliServer implements Disposable {
     );
   }
 
-  public async getVersion() {
-    if (!this._version) {
-      try {
-        const newVersion = await this.refreshVersion();
-        this._version = newVersion;
-        this._versionChangedListeners.forEach((listener) =>
-          listener(newVersion),
-        );
+  public async getVersion(): Promise<SemVer> {
+    return (await this.getVersionAndFeatures()).version;
+  }
 
+  public async getFeatures(): Promise<CliFeatures> {
+    return (await this.getVersionAndFeatures()).features;
+  }
+
+  private async getVersionAndFeatures(): Promise<VersionAndFeatures> {
+    if (!this._versionAndFeatures) {
+      try {
+        const newVersionAndFeatures = await this.refreshVersion();
+        this._versionAndFeatures = newVersionAndFeatures;
+        this._versionChangedListeners.forEach((listener) =>
+          listener(newVersionAndFeatures),
+        );
         // this._version is only undefined upon config change, so we reset CLI-based context key only when necessary.
-        await this.app.commands.execute(
-          "setContext",
-          "codeql.supportsQuickEvalCount",
-          newVersion.compare(
-            CliVersionConstraint.CLI_VERSION_WITH_QUICK_EVAL_COUNT,
-          ) >= 0,
-        );
         await this.app.commands.execute(
           "setContext",
           "codeql.supportsTrimCache",
-          newVersion.compare(
+          newVersionAndFeatures.version.compare(
             CliVersionConstraint.CLI_VERSION_WITH_TRIM_CACHE,
           ) >= 0,
         );
@@ -1526,23 +1572,23 @@ export class CodeQLCliServer implements Disposable {
         throw e;
       }
     }
-    return this._version;
+    return this._versionAndFeatures;
   }
 
   public addVersionChangedListener(listener: VersionChangedListener) {
-    if (this._version) {
-      listener(this._version);
+    if (this._versionAndFeatures) {
+      listener(this._versionAndFeatures);
     }
     this._versionChangedListeners.push(listener);
   }
 
-  private async refreshVersion() {
+  private async refreshVersion(): Promise<VersionAndFeatures> {
     const distribution = await this.distributionProvider.getDistribution();
     switch (distribution.kind) {
       case FindDistributionResultKind.CompatibleDistribution:
-
+      // eslint-disable-next-line no-fallthrough -- Intentional fallthrough
       case FindDistributionResultKind.IncompatibleDistribution:
-        return distribution.version;
+        return distribution.versionAndFeatures;
 
       default:
         // We should not get here because if no distributions are available, then
@@ -1555,11 +1601,8 @@ export class CodeQLCliServer implements Disposable {
     return paths.length ? ["--additional-packs", paths.join(delimiter)] : [];
   }
 
-  public async useExtensionPacks(): Promise<boolean> {
-    return (
-      this.cliConfig.useExtensionPacks &&
-      (await this.cliConstraints.supportsQlpacksKind())
-    );
+  public useExtensionPacks(): boolean {
+    return this.cliConfig.useExtensionPacks;
   }
 
   public async setUseExtensionPacks(useExtensionPacks: boolean) {
@@ -1587,10 +1630,10 @@ export function spawnServer(
   command: string[],
   commandArgs: string[],
   logger: Logger,
-  stderrListener: (data: any) => void,
-  stdoutListener?: (data: any) => void,
+  stderrListener: (data: string | Buffer) => void,
+  stdoutListener?: (data: string | Buffer) => void,
   progressReporter?: ProgressReporter,
-): child_process.ChildProcessWithoutNullStreams {
+): ChildProcessWithoutNullStreams {
   // Enable verbose logging.
   const args = command.concat(commandArgs).concat(LOGGING_FLAGS);
 
@@ -1601,29 +1644,32 @@ export function spawnServer(
     progressReporter.report({ message: `Starting ${name}` });
   }
   void logger.log(`Starting ${name} using CodeQL CLI: ${base} ${argsString}`);
-  const child = child_process.spawn(base, args);
+  const child = spawnChildProcess(base, args);
   if (!child || !child.pid) {
     throw new Error(
       `Failed to start ${name} using command ${base} ${argsString}.`,
     );
   }
 
-  let lastStdout: any = undefined;
+  let lastStdout: string | Buffer | undefined = undefined;
   child.stdout!.on("data", (data) => {
     lastStdout = data;
   });
   // Set up event listeners.
   child.on("close", async (code, signal) => {
-    if (code !== null)
+    if (code !== null) {
       void logger.log(`Child process exited with code ${code}`);
-    if (signal)
+    }
+    if (signal) {
       void logger.log(
         `Child process exited due to receipt of signal ${signal}`,
       );
+    }
     // If the process exited abnormally, log the last stdout message,
     // It may be from the jvm.
-    if (code !== 0 && lastStdout !== undefined)
+    if (code !== 0 && lastStdout !== undefined) {
       void logger.log(`Last stdout was "${lastStdout.toString()}"`);
+    }
   });
   child.stderr!.on("data", stderrListener);
   if (stdoutListener !== undefined) {
@@ -1637,45 +1683,6 @@ export function spawnServer(
   return child;
 }
 
-/**
- * Runs a CodeQL CLI command without invoking the CLI server, returning the output as a string.
- * @param codeQlPath The path to the CLI.
- * @param command The `codeql` command to be run, provided as an array of command/subcommand names.
- * @param commandArgs The arguments to pass to the `codeql` command.
- * @param description Description of the action being run, to be shown in log and error messages.
- * @param logger Logger to write command log messages, e.g. to an output channel.
- * @param progressReporter Used to output progress messages, e.g. to the status bar.
- * @returns The contents of the command's stdout, if the command succeeded.
- */
-export async function runCodeQlCliCommand(
-  codeQlPath: string,
-  command: string[],
-  commandArgs: string[],
-  description: string,
-  logger: Logger,
-  progressReporter?: ProgressReporter,
-): Promise<string> {
-  // Add logging arguments first, in case commandArgs contains positional parameters.
-  const args = command.concat(LOGGING_FLAGS).concat(commandArgs);
-  const argsString = args.join(" ");
-  try {
-    if (progressReporter !== undefined) {
-      progressReporter.report({ message: description });
-    }
-    void logger.log(
-      `${description} using CodeQL CLI: ${codeQlPath} ${argsString}...`,
-    );
-    const result = await promisify(child_process.execFile)(codeQlPath, args);
-    void logger.log(result.stderr);
-    void logger.log("CLI command succeeded.");
-    return result.stdout;
-  } catch (err) {
-    throw new Error(
-      `${description} failed: ${getChildProcessErrorMessage(err)}`,
-    );
-  }
-}
-
 /**
  * Log a text stream to a `Logger` interface.
  * @param stream The stream to log.
@@ -1697,7 +1704,7 @@ function isEnvTrue(name: string): boolean {
   );
 }
 
-export function shouldDebugIdeServer() {
+export function shouldDebugLanguageServer() {
   return isEnvTrue("IDE_SERVER_JAVA_DEBUG");
 }
 
@@ -1705,67 +1712,14 @@ export function shouldDebugQueryServer() {
   return isEnvTrue("QUERY_SERVER_JAVA_DEBUG");
 }
 
-export function shouldDebugCliServer() {
+function shouldDebugCliServer() {
   return isEnvTrue("CLI_SERVER_JAVA_DEBUG");
 }
 
 export class CliVersionConstraint {
   // The oldest version of the CLI that we support. This is used to determine
   // whether to show a warning about the CLI being too old on startup.
-  public static OLDEST_SUPPORTED_CLI_VERSION = new SemVer("2.9.4");
-
-  /**
-   * CLI version where building QLX packs for remote queries is supported.
-   * (The options were _accepted_ by a few earlier versions, but only from
-   * 2.11.3 will it actually use the existing compilation cache correctly).
-   */
-  public static CLI_VERSION_QLX_REMOTE = new SemVer("2.11.3");
-
-  /**
-   * CLI version where the `resolve ml-models` subcommand was enhanced to work with packaging.
-   */
-  public static CLI_VERSION_WITH_PRECISE_RESOLVE_ML_MODELS = new SemVer(
-    "2.10.0",
-  );
-
-  /**
-   * CLI version where the `resolve extensions` subcommand exists.
-   */
-  public static CLI_VERSION_WITH_RESOLVE_EXTENSIONS = new SemVer("2.10.2");
-
-  /**
-   * CLI version that supports the `--sourcemap` option for log generation.
-   */
-  public static CLI_VERSION_WITH_SOURCEMAP = new SemVer("2.10.3");
-
-  /**
-   * CLI version that supports the new query server.
-   */
-  public static CLI_VERSION_WITH_NEW_QUERY_SERVER = new SemVer("2.11.1");
-
-  /**
-   * CLI version that supports `${workspace}` references in qlpack.yml files.
-   */
-  public static CLI_VERSION_WITH_WORKSPACE_RFERENCES = new SemVer("2.11.3");
-
-  /**
-   * CLI version that supports the `--kind` option for the `resolve qlpacks` command.
-   */
-  public static CLI_VERSION_WITH_QLPACKS_KIND = new SemVer("2.12.3");
-
-  /**
-   * CLI version that supports the `--additional-packs` option for the `pack install` command.
-   */
-  public static CLI_VERSION_WITH_ADDITIONAL_PACKS_INSTALL = new SemVer(
-    "2.12.4",
-  );
-
-  public static CLI_VERSION_GLOBAL_CACHE = new SemVer("2.12.4");
-
-  /**
-   * CLI version where the query server supports quick-eval count mode.
-   */
-  public static CLI_VERSION_WITH_QUICK_EVAL_COUNT = new SemVer("2.13.3");
+  public static OLDEST_SUPPORTED_CLI_VERSION = new SemVer("2.13.5");
 
   /**
    * CLI version where the `generate extensible-predicate-metadata`
@@ -1788,6 +1742,15 @@ export class CliVersionConstraint {
    */
   public static CLI_VERSION_WITH_TRIM_CACHE = new SemVer("2.15.1");
 
+  public static CLI_VERSION_WITHOUT_MRVA_EXTENSIBLE_PREDICATE_HACK = new SemVer(
+    "2.16.1",
+  );
+
+  /**
+   * CLI version where there is support for multiple queries on the pack create command.
+   */
+  public static CLI_VERSION_WITH_MULTI_QUERY_PACK_CREATE = new SemVer("2.16.1");
+
   constructor(private readonly cli: CodeQLCliServer) {
     /**/
   }
@@ -1796,81 +1759,32 @@ export class CliVersionConstraint {
     return (await this.cli.getVersion()).compare(v) >= 0;
   }
 
-  async supportsQlxRemote() {
-    return this.isVersionAtLeast(CliVersionConstraint.CLI_VERSION_QLX_REMOTE);
-  }
-
-  async supportsPreciseResolveMlModels() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_PRECISE_RESOLVE_ML_MODELS,
-    );
-  }
-
-  async supportsResolveExtensions() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_RESOLVE_EXTENSIONS,
-    );
-  }
-
-  async supportsSourceMap() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_SOURCEMAP,
-    );
-  }
-
-  async supportsNewQueryServer() {
-    // This allows users to explicitly opt-out of the new query server.
-    return (
-      allowCanaryQueryServer() &&
-      this.isVersionAtLeast(
-        CliVersionConstraint.CLI_VERSION_WITH_NEW_QUERY_SERVER,
-      )
-    );
-  }
-
-  async supportsNewQueryServerForTests() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_NEW_QUERY_SERVER,
-    );
-  }
-
-  async supportsWorkspaceReferences() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_WORKSPACE_RFERENCES,
-    );
-  }
-
-  async supportsQlpacksKind() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_QLPACKS_KIND,
-    );
-  }
-
-  async supportsAdditionalPacksInstall() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_ADDITIONAL_PACKS_INSTALL,
-    );
-  }
-
-  async usesGlobalCompilationCache() {
-    return this.isVersionAtLeast(CliVersionConstraint.CLI_VERSION_GLOBAL_CACHE);
-  }
-
   async supportsVisibilityNotifications() {
     return this.isVersionAtLeast(
       CliVersionConstraint.CLI_VERSION_WITH_VISIBILITY_NOTIFICATIONS,
     );
   }
 
-  async supportsQuickEvalCount() {
-    return this.isVersionAtLeast(
-      CliVersionConstraint.CLI_VERSION_WITH_QUICK_EVAL_COUNT,
-    );
-  }
-
   async supportsGenerateExtensiblePredicateMetadata() {
     return this.isVersionAtLeast(
       CliVersionConstraint.CLI_VERSION_WITH_EXTENSIBLE_PREDICATE_METADATA,
     );
   }
+
+  async preservesExtensiblePredicatesInMrvaPack() {
+    // Negated, because we _stopped_ preserving these in 2.16.1.
+    return !(await this.isVersionAtLeast(
+      CliVersionConstraint.CLI_VERSION_WITHOUT_MRVA_EXTENSIBLE_PREDICATE_HACK,
+    ));
+  }
+
+  async supportsPackCreateWithMultipleQueries() {
+    return this.isVersionAtLeast(
+      CliVersionConstraint.CLI_VERSION_WITH_MULTI_QUERY_PACK_CREATE,
+    );
+  }
+
+  async supportsMrvaPackCreate(): Promise<boolean> {
+    return (await this.cli.getFeatures()).mrvaPackCreate === true;
+  }
 }

extensions/ql-vscode/src/codeql-cli/distribution.ts

@@ -1,21 +1,18 @@
-import * as fetch from "node-fetch";
-import { pathExists, mkdtemp, createWriteStream, remove } from "fs-extra";
+import type { WriteStream } from "fs";
+import { createWriteStream, mkdtemp, pathExists, remove } from "fs-extra";
 import { tmpdir } from "os";
 import { delimiter, dirname, join } from "path";
-import * as semver from "semver";
-import { URL } from "url";
-import { ExtensionContext, Event } from "vscode";
-import { DistributionConfig } from "../config";
+import { Range, satisfies } from "semver";
+import type { Event, ExtensionContext } from "vscode";
+import type { DistributionConfig } from "../config";
 import { extLogger } from "../common/logging/vscode";
+import type { VersionAndFeatures } from "./cli-version";
 import { getCodeQlCliVersion } from "./cli-version";
-import {
-  ProgressCallback,
-  reportStreamProgress,
-} from "../common/vscode/progress";
+import type { ProgressCallback } from "../common/vscode/progress";
+import { reportStreamProgress } from "../common/vscode/progress";
 import {
   codeQlLauncherName,
   deprecatedCodeQlLauncherName,
-  extractZipArchive,
   getRequiredAssetName,
 } from "../common/distribution";
 import {
@@ -26,6 +23,12 @@ import {
   showAndLogErrorMessage,
   showAndLogWarningMessage,
 } from "../common/logging";
+import { unzipToDirectoryConcurrently } from "../common/unzip-concurrently";
+import { reportUnzipProgress } from "../common/vscode/unzip-progress";
+import type { Release } from "./distribution/release";
+import { ReleasesApiConsumer } from "./distribution/releases-api-consumer";
+import { createTimeoutSignal } from "../common/fetch-stream";
+import { AbortError } from "node-fetch";
 
 /**
  * distribution.ts
@@ -35,28 +38,21 @@ import {
  */
 
 /**
- * Default value for the owner name of the extension-managed distribution on GitHub.
- *
- * We set the default here rather than as a default config value so that this default is invoked
- * upon blanking the setting.
+ * Repository name with owner of the stable version of the extension-managed distribution on GitHub.
  */
-const DEFAULT_DISTRIBUTION_OWNER_NAME = "github";
+const STABLE_DISTRIBUTION_REPOSITORY_NWO = "github/codeql-cli-binaries";
 
 /**
- * Default value for the repository name of the extension-managed distribution on GitHub.
- *
- * We set the default here rather than as a default config value so that this default is invoked
- * upon blanking the setting.
+ * Repository name with owner of the nightly version of the extension-managed distribution on GitHub.
  */
-const DEFAULT_DISTRIBUTION_REPOSITORY_NAME = "codeql-cli-binaries";
+const NIGHTLY_DISTRIBUTION_REPOSITORY_NWO = "dsp-testing/codeql-cli-nightlies";
 
 /**
  * Range of versions of the CLI that are compatible with the extension.
  *
  * This applies to both extension-managed and CLI distributions.
  */
-export const DEFAULT_DISTRIBUTION_VERSION_RANGE: semver.Range =
-  new semver.Range("2.x");
+export const DEFAULT_DISTRIBUTION_VERSION_RANGE: Range = new Range("2.x");
 
 export interface DistributionProvider {
   getCodeQlPathWithoutVersionCheck(): Promise<string | undefined>;
@@ -67,7 +63,7 @@ export interface DistributionProvider {
 export class DistributionManager implements DistributionProvider {
   constructor(
     public readonly config: DistributionConfig,
-    private readonly versionRange: semver.Range,
+    private readonly versionRange: Range,
     extensionContext: ExtensionContext,
   ) {
     this._onDidChangeDistribution = config.onDidChangeConfiguration;
@@ -95,11 +91,11 @@ export class DistributionManager implements DistributionProvider {
         kind: FindDistributionResultKind.NoDistribution,
       };
     }
-    const version = await getCodeQlCliVersion(
+    const versionAndFeatures = await getCodeQlCliVersion(
       distribution.codeQlPath,
       extLogger,
     );
-    if (version === undefined) {
+    if (versionAndFeatures === undefined) {
       return {
         distribution,
         kind: FindDistributionResultKind.UnknownCompatibilityDistribution,
@@ -126,17 +122,21 @@ export class DistributionManager implements DistributionProvider {
       distribution.kind !== DistributionKind.ExtensionManaged ||
       this.config.includePrerelease;
 
-    if (!semver.satisfies(version, this.versionRange, { includePrerelease })) {
+    if (
+      !satisfies(versionAndFeatures.version, this.versionRange, {
+        includePrerelease,
+      })
+    ) {
       return {
         distribution,
         kind: FindDistributionResultKind.IncompatibleDistribution,
-        version,
+        versionAndFeatures,
       };
     }
     return {
       distribution,
       kind: FindDistributionResultKind.CompatibleDistribution,
-      version,
+      versionAndFeatures,
     };
   }
 
@@ -195,9 +195,8 @@ export class DistributionManager implements DistributionProvider {
 
     if (process.env.PATH) {
       for (const searchDirectory of process.env.PATH.split(delimiter)) {
-        const expectedLauncherPath = await getExecutableFromDirectory(
-          searchDirectory,
-        );
+        const expectedLauncherPath =
+          await getExecutableFromDirectory(searchDirectory);
         if (expectedLauncherPath) {
           return {
             codeQlPath: expectedLauncherPath,
@@ -284,7 +283,7 @@ export class DistributionManager implements DistributionProvider {
 class ExtensionSpecificDistributionManager {
   constructor(
     private readonly config: DistributionConfig,
-    private readonly versionRange: semver.Range,
+    private readonly versionRange: Range,
     private readonly extensionContext: ExtensionContext,
   ) {
     /**/
@@ -388,15 +387,25 @@ class ExtensionSpecificDistributionManager {
       );
     }
 
-    const assetStream =
-      await this.createReleasesApiConsumer().streamBinaryContentOfAsset(
-        assets[0],
-      );
+    const {
+      signal,
+      onData,
+      dispose: disposeTimeout,
+    } = createTimeoutSignal(this.config.downloadTimeout);
+
     const tmpDirectory = await mkdtemp(join(tmpdir(), "vscode-codeql"));
 
+    let archiveFile: WriteStream | undefined = undefined;
+
     try {
+      const assetStream =
+        await this.createReleasesApiConsumer().streamBinaryContentOfAsset(
+          assets[0],
+          signal,
+        );
+
       const archivePath = join(tmpDirectory, "distributionDownload.zip");
-      const archiveFile = createWriteStream(archivePath);
+      archiveFile = createWriteStream(archivePath);
 
       const contentLength = assetStream.headers.get("content-length");
       const totalNumBytes = contentLength
@@ -409,20 +418,52 @@ class ExtensionSpecificDistributionManager {
         progressCallback,
       );
 
-      await new Promise((resolve, reject) =>
+      assetStream.body.on("data", onData);
+
+      await new Promise((resolve, reject) => {
+        if (!archiveFile) {
+          throw new Error("Invariant violation: archiveFile not set");
+        }
+
         assetStream.body
           .pipe(archiveFile)
           .on("finish", resolve)
-          .on("error", reject),
-      );
+          .on("error", reject);
+
+        // If an error occurs on the body, we also want to reject the promise (e.g. during a timeout error).
+        assetStream.body.on("error", reject);
+      });
+
+      disposeTimeout();
 
       await this.bumpDistributionFolderIndex();
 
       void extLogger.log(
         `Extracting CodeQL CLI to ${this.getDistributionStoragePath()}`,
       );
-      await extractZipArchive(archivePath, this.getDistributionStoragePath());
+      await unzipToDirectoryConcurrently(
+        archivePath,
+        this.getDistributionStoragePath(),
+        progressCallback
+          ? reportUnzipProgress(
+              `Extracting CodeQL CLI ${release.name}…`,
+              progressCallback,
+            )
+          : undefined,
+      );
+    } catch (e) {
+      if (e instanceof AbortError) {
+        const thrownError = new AbortError("The download timed out.");
+        thrownError.stack = e.stack;
+        throw thrownError;
+      }
+
+      throw e;
     } finally {
+      disposeTimeout();
+
+      archiveFile?.close();
+
       await remove(tmpDirectory);
     }
   }
@@ -444,9 +485,18 @@ class ExtensionSpecificDistributionManager {
     void extLogger.log(
       `Searching for latest release including ${requiredAssetName}.`,
     );
+
+    const versionRange = this.usingNightlyReleases
+      ? undefined
+      : this.versionRange;
+    const orderBySemver = !this.usingNightlyReleases;
+    const includePrerelease =
+      this.usingNightlyReleases || this.config.includePrerelease;
+
     return this.createReleasesApiConsumer().getLatestRelease(
-      this.versionRange,
-      this.config.includePrerelease,
+      versionRange,
+      orderBySemver,
+      includePrerelease,
       (release) => {
         // v2.12.3 was released with a bug that causes the extension to fail
         // so we force the extension to ignore it.
@@ -476,19 +526,26 @@ class ExtensionSpecificDistributionManager {
   }
 
   private createReleasesApiConsumer(): ReleasesApiConsumer {
-    const ownerName = this.config.ownerName
-      ? this.config.ownerName
-      : DEFAULT_DISTRIBUTION_OWNER_NAME;
-    const repositoryName = this.config.repositoryName
-      ? this.config.repositoryName
-      : DEFAULT_DISTRIBUTION_REPOSITORY_NAME;
     return new ReleasesApiConsumer(
-      ownerName,
-      repositoryName,
+      this.distributionRepositoryNwo,
       this.config.personalAccessToken,
     );
   }
 
+  private get distributionRepositoryNwo(): string {
+    if (this.config.channel === "nightly") {
+      return NIGHTLY_DISTRIBUTION_REPOSITORY_NWO;
+    } else {
+      return STABLE_DISTRIBUTION_REPOSITORY_NWO;
+    }
+  }
+
+  private get usingNightlyReleases(): boolean {
+    return (
+      this.distributionRepositoryNwo === NIGHTLY_DISTRIBUTION_REPOSITORY_NWO
+    );
+  }
+
   private async bumpDistributionFolderIndex(): Promise<void> {
     const index = this.extensionContext.globalState.get(
       ExtensionSpecificDistributionManager._currentDistributionFolderIndexStateKey,
@@ -543,171 +600,6 @@ class ExtensionSpecificDistributionManager {
   private static readonly _codeQlExtractedFolderName = "codeql";
 }
 
-export class ReleasesApiConsumer {
-  constructor(
-    ownerName: string,
-    repoName: string,
-    personalAccessToken?: string,
-  ) {
-    // Specify version of the GitHub API
-    this._defaultHeaders["accept"] = "application/vnd.github.v3+json";
-
-    if (personalAccessToken) {
-      this._defaultHeaders["authorization"] = `token ${personalAccessToken}`;
-    }
-
-    this._ownerName = ownerName;
-    this._repoName = repoName;
-  }
-
-  public async getLatestRelease(
-    versionRange: semver.Range,
-    includePrerelease = false,
-    additionalCompatibilityCheck?: (release: GithubRelease) => boolean,
-  ): Promise<Release> {
-    const apiPath = `/repos/${this._ownerName}/${this._repoName}/releases`;
-    const allReleases: GithubRelease[] = await (
-      await this.makeApiCall(apiPath)
-    ).json();
-    const compatibleReleases = allReleases.filter((release) => {
-      if (release.prerelease && !includePrerelease) {
-        return false;
-      }
-
-      const version = semver.parse(release.tag_name);
-      if (
-        version === null ||
-        !semver.satisfies(version, versionRange, { includePrerelease })
-      ) {
-        return false;
-      }
-
-      return (
-        !additionalCompatibilityCheck || additionalCompatibilityCheck(release)
-      );
-    });
-    // Tag names must all be parsable to semvers due to the previous filtering step.
-    const latestRelease = compatibleReleases.sort((a, b) => {
-      const versionComparison = semver.compare(
-        semver.parse(b.tag_name)!,
-        semver.parse(a.tag_name)!,
-      );
-      if (versionComparison !== 0) {
-        return versionComparison;
-      }
-      return b.created_at.localeCompare(a.created_at, "en-US");
-    })[0];
-    if (latestRelease === undefined) {
-      throw new Error(
-        "No compatible CodeQL CLI releases were found. " +
-          "Please check that the CodeQL extension is up to date.",
-      );
-    }
-    const assets: ReleaseAsset[] = latestRelease.assets.map((asset) => {
-      return {
-        id: asset.id,
-        name: asset.name,
-        size: asset.size,
-      };
-    });
-
-    return {
-      assets,
-      createdAt: latestRelease.created_at,
-      id: latestRelease.id,
-      name: latestRelease.name,
-    };
-  }
-
-  public async streamBinaryContentOfAsset(
-    asset: ReleaseAsset,
-  ): Promise<fetch.Response> {
-    const apiPath = `/repos/${this._ownerName}/${this._repoName}/releases/assets/${asset.id}`;
-
-    return await this.makeApiCall(apiPath, {
-      accept: "application/octet-stream",
-    });
-  }
-
-  protected async makeApiCall(
-    apiPath: string,
-    additionalHeaders: { [key: string]: string } = {},
-  ): Promise<fetch.Response> {
-    const response = await this.makeRawRequest(
-      ReleasesApiConsumer._apiBase + apiPath,
-      Object.assign({}, this._defaultHeaders, additionalHeaders),
-    );
-
-    if (!response.ok) {
-      // Check for rate limiting
-      const rateLimitResetValue = response.headers.get("X-RateLimit-Reset");
-      if (response.status === 403 && rateLimitResetValue) {
-        const secondsToMillisecondsFactor = 1000;
-        const rateLimitResetDate = new Date(
-          parseInt(rateLimitResetValue, 10) * secondsToMillisecondsFactor,
-        );
-        throw new GithubRateLimitedError(
-          response.status,
-          await response.text(),
-          rateLimitResetDate,
-        );
-      }
-      throw new GithubApiError(response.status, await response.text());
-    }
-    return response;
-  }
-
-  private async makeRawRequest(
-    requestUrl: string,
-    headers: { [key: string]: string },
-    redirectCount = 0,
-  ): Promise<fetch.Response> {
-    const response = await fetch.default(requestUrl, {
-      headers,
-      redirect: "manual",
-    });
-
-    const redirectUrl = response.headers.get("location");
-    if (
-      isRedirectStatusCode(response.status) &&
-      redirectUrl &&
-      redirectCount < ReleasesApiConsumer._maxRedirects
-    ) {
-      const parsedRedirectUrl = new URL(redirectUrl);
-      if (parsedRedirectUrl.protocol !== "https:") {
-        throw new Error("Encountered a non-https redirect, rejecting");
-      }
-      if (parsedRedirectUrl.host !== "api.github.com") {
-        // Remove authorization header if we are redirected outside of the GitHub API.
-        //
-        // This is necessary to stream release assets since AWS fails if more than one auth
-        // mechanism is provided.
-        delete headers["authorization"];
-      }
-      return await this.makeRawRequest(redirectUrl, headers, redirectCount + 1);
-    }
-
-    return response;
-  }
-
-  private readonly _defaultHeaders: { [key: string]: string } = {};
-  private readonly _ownerName: string;
-  private readonly _repoName: string;
-
-  private static readonly _apiBase = "https://api.github.com";
-  private static readonly _maxRedirects = 20;
-}
-
-function isRedirectStatusCode(statusCode: number): boolean {
-  return (
-    statusCode === 301 ||
-    statusCode === 302 ||
-    statusCode === 303 ||
-    statusCode === 307 ||
-    statusCode === 308
-  );
-}
-
 /*
  * Types and helper functions relating to those types.
  */
@@ -747,7 +639,7 @@ interface DistributionResult {
 
 interface CompatibleDistributionResult extends DistributionResult {
   kind: FindDistributionResultKind.CompatibleDistribution;
-  version: semver.SemVer;
+  versionAndFeatures: VersionAndFeatures;
 }
 
 interface UnknownCompatibilityDistributionResult extends DistributionResult {
@@ -756,7 +648,7 @@ interface UnknownCompatibilityDistributionResult extends DistributionResult {
 
 interface IncompatibleDistributionResult extends DistributionResult {
   kind: FindDistributionResultKind.IncompatibleDistribution;
-  version: semver.SemVer;
+  versionAndFeatures: VersionAndFeatures;
 }
 
 interface NoDistributionResult {
@@ -858,116 +750,3 @@ function warnDeprecatedLauncher() {
       `Please use "${codeQlLauncherName()}" instead. It is recommended to update to the latest CodeQL binaries.`,
   );
 }
-
-/**
- * A release on GitHub.
- */
-interface Release {
-  assets: ReleaseAsset[];
-
-  /**
-   * The creation date of the release on GitHub.
-   */
-  createdAt: string;
-
-  /**
-   * The id associated with the release on GitHub.
-   */
-  id: number;
-
-  /**
-   * The name associated with the release on GitHub.
-   */
-  name: string;
-}
-
-/**
- * An asset corresponding to a release on GitHub.
- */
-interface ReleaseAsset {
-  /**
-   * The id associated with the asset on GitHub.
-   */
-  id: number;
-
-  /**
-   * The name associated with the asset on GitHub.
-   */
-  name: string;
-
-  /**
-   * The size of the asset in bytes.
-   */
-  size: number;
-}
-
-/**
- * The json returned from github for a release.
- */
-export interface GithubRelease {
-  assets: GithubReleaseAsset[];
-
-  /**
-   * The creation date of the release on GitHub, in ISO 8601 format.
-   */
-  created_at: string;
-
-  /**
-   * The id associated with the release on GitHub.
-   */
-  id: number;
-
-  /**
-   * The name associated with the release on GitHub.
-   */
-  name: string;
-
-  /**
-   * Whether the release is a prerelease.
-   */
-  prerelease: boolean;
-
-  /**
-   * The tag name.  This should be the version.
-   */
-  tag_name: string;
-}
-
-/**
- * The json returned by github for an asset in a release.
- */
-export interface GithubReleaseAsset {
-  /**
-   * The id associated with the asset on GitHub.
-   */
-  id: number;
-
-  /**
-   * The name associated with the asset on GitHub.
-   */
-  name: string;
-
-  /**
-   * The size of the asset in bytes.
-   */
-  size: number;
-}
-
-export class GithubApiError extends Error {
-  constructor(
-    public status: number,
-    public body: string,
-  ) {
-    super(`API call failed with status code ${status}, body: ${body}`);
-  }
-}
-
-export class GithubRateLimitedError extends GithubApiError {
-  constructor(
-    public status: number,
-    public body: string,
-    public rateLimitResetDate: Date,
-  ) {
-    super(status, body);
-  }
-}

extensions/ql-vscode/src/codeql-cli/distribution/github-api-error.ts

@@ -0,0 +1,18 @@
+export class GithubApiError extends Error {
+  constructor(
+    public status: number,
+    public body: string,
+  ) {
+    super(`API call failed with status code ${status}, body: ${body}`);
+  }
+}
+
+export class GithubRateLimitedError extends GithubApiError {
+  constructor(
+    public status: number,
+    public body: string,
+    public rateLimitResetDate: Date,
+  ) {
+    super(status, body);
+  }
+}

extensions/ql-vscode/src/codeql-cli/distribution/release.ts

@@ -0,0 +1,48 @@
+/**
+ * A release of the CodeQL CLI hosted on GitHub.
+ */
+export interface Release {
+  /**
+   * The assets associated with the release on GitHub.
+   */
+  assets: ReleaseAsset[];
+
+  /**
+   * The creation date of the release on GitHub.
+   *
+   * This is the date that the release was uploaded to GitHub, and not the date
+   * when we downloaded it or the date when we fetched the data from the GitHub API.
+   */
+  createdAt: string;
+
+  /**
+   * The id associated with the release on GitHub.
+   */
+  id: number;
+
+  /**
+   * The name associated with the release on GitHub.
+   */
+  name: string;
+}
+
+/**
+ * An asset attached to a release on GitHub.
+ * Each release may have multiple assets, and each asset can be downloaded independently.
+ */
+export interface ReleaseAsset {
+  /**
+   * The id associated with the asset on GitHub.
+   */
+  id: number;
+
+  /**
+   * The name associated with the asset on GitHub.
+   */
+  name: string;
+
+  /**
+   * The size of the asset in bytes.
+   */
+  size: number;
+}

extensions/ql-vscode/src/codeql-cli/distribution/releases-api-consumer.ts

@@ -0,0 +1,212 @@
+import type { Response } from "node-fetch";
+import { default as fetch } from "node-fetch";
+import type { Range } from "semver";
+import { compare, parse, satisfies } from "semver";
+import { URL } from "url";
+import type { Release, ReleaseAsset } from "./release";
+import { GithubApiError, GithubRateLimitedError } from "./github-api-error";
+
+/**
+ * Communicates with the GitHub API to determine the latest compatible release and download assets.
+ */
+export class ReleasesApiConsumer {
+  private static readonly apiBase = "https://api.github.com";
+  private static readonly maxRedirects = 20;
+
+  private readonly defaultHeaders: { [key: string]: string } = {};
+
+  constructor(
+    private readonly repositoryNwo: string,
+    personalAccessToken?: string,
+  ) {
+    // Specify version of the GitHub API
+    this.defaultHeaders["accept"] = "application/vnd.github.v3+json";
+
+    if (personalAccessToken) {
+      this.defaultHeaders["authorization"] = `token ${personalAccessToken}`;
+    }
+  }
+
+  public async getLatestRelease(
+    versionRange: Range | undefined,
+    orderBySemver = true,
+    includePrerelease = false,
+    additionalCompatibilityCheck?: (release: GithubRelease) => boolean,
+  ): Promise<Release> {
+    const apiPath = `/repos/${this.repositoryNwo}/releases`;
+    const allReleases: GithubRelease[] = await (
+      await this.makeApiCall(apiPath)
+    ).json();
+    const compatibleReleases = allReleases.filter((release) => {
+      if (release.prerelease && !includePrerelease) {
+        return false;
+      }
+
+      if (versionRange !== undefined) {
+        const version = parse(release.tag_name);
+        if (
+          version === null ||
+          !satisfies(version, versionRange, { includePrerelease })
+        ) {
+          return false;
+        }
+      }
+
+      return (
+        !additionalCompatibilityCheck || additionalCompatibilityCheck(release)
+      );
+    });
+    // Tag names must all be parsable to semvers due to the previous filtering step.
+    const latestRelease = compatibleReleases.sort((a, b) => {
+      const versionComparison = orderBySemver
+        ? compare(parse(b.tag_name)!, parse(a.tag_name)!)
+        : b.id - a.id;
+      if (versionComparison !== 0) {
+        return versionComparison;
+      }
+      return b.created_at.localeCompare(a.created_at, "en-US");
+    })[0];
+    if (latestRelease === undefined) {
+      throw new Error(
+        "No compatible CodeQL CLI releases were found. " +
+          "Please check that the CodeQL extension is up to date.",
+      );
+    }
+    const assets: ReleaseAsset[] = latestRelease.assets.map((asset) => {
+      return {
+        id: asset.id,
+        name: asset.name,
+        size: asset.size,
+      };
+    });
+
+    return {
+      assets,
+      createdAt: latestRelease.created_at,
+      id: latestRelease.id,
+      name: latestRelease.name,
+    };
+  }
+
+  public async streamBinaryContentOfAsset(
+    asset: ReleaseAsset,
+    signal?: AbortSignal,
+  ): Promise<Response> {
+    const apiPath = `/repos/${this.repositoryNwo}/releases/assets/${asset.id}`;
+
+    return await this.makeApiCall(
+      apiPath,
+      {
+        accept: "application/octet-stream",
+      },
+      signal,
+    );
+  }
+
+  protected async makeApiCall(
+    apiPath: string,
+    additionalHeaders: { [key: string]: string } = {},
+    signal?: AbortSignal,
+  ): Promise<Response> {
+    const response = await this.makeRawRequest(
+      ReleasesApiConsumer.apiBase + apiPath,
+      Object.assign({}, this.defaultHeaders, additionalHeaders),
+      signal,
+    );
+
+    if (!response.ok) {
+      // Check for rate limiting
+      const rateLimitResetValue = response.headers.get("X-RateLimit-Reset");
+      if (response.status === 403 && rateLimitResetValue) {
+        const secondsToMillisecondsFactor = 1000;
+        const rateLimitResetDate = new Date(
+          parseInt(rateLimitResetValue, 10) * secondsToMillisecondsFactor,
+        );
+        throw new GithubRateLimitedError(
+          response.status,
+          await response.text(),
+          rateLimitResetDate,
+        );
+      }
+      throw new GithubApiError(response.status, await response.text());
+    }
+    return response;
+  }
+
+  private async makeRawRequest(
+    requestUrl: string,
+    headers: { [key: string]: string },
+    signal?: AbortSignal,
+    redirectCount = 0,
+  ): Promise<Response> {
+    const response = await fetch(requestUrl, {
+      headers,
+      redirect: "manual",
+      signal,
+    });
+
+    const redirectUrl = response.headers.get("location");
+    if (
+      isRedirectStatusCode(response.status) &&
+      redirectUrl &&
+      redirectCount < ReleasesApiConsumer.maxRedirects
+    ) {
+      const parsedRedirectUrl = new URL(redirectUrl);
+      if (parsedRedirectUrl.protocol !== "https:") {
+        throw new Error("Encountered a non-https redirect, rejecting");
+      }
+      if (parsedRedirectUrl.host !== "api.github.com") {
+        // Remove authorization header if we are redirected outside of the GitHub API.
+        //
+        // This is necessary to stream release assets since AWS fails if more than one auth
+        // mechanism is provided.
+        delete headers["authorization"];
+      }
+      return await this.makeRawRequest(
+        redirectUrl,
+        headers,
+        signal,
+        redirectCount + 1,
+      );
+    }
+
+    return response;
+  }
+}
+
+function isRedirectStatusCode(statusCode: number): boolean {
+  return (
+    statusCode === 301 ||
+    statusCode === 302 ||
+    statusCode === 303 ||
+    statusCode === 307 ||
+    statusCode === 308
+  );
+}
+
+/**
+ * The json returned from github for a release.
+ * See https://docs.github.com/en/rest/releases/releases#get-a-release for example response and response schema.
+ *
+ * This type must match the format of the GitHub API and is not intended to be used outside of this file except for tests. Please use the `Release` type instead.
+ */
+export interface GithubRelease {
+  assets: GithubReleaseAsset[];
+  created_at: string;
+  id: number;
+  name: string;
+  prerelease: boolean;
+  tag_name: string;
+}
+
+/**
+ * The json returned by github for an asset in a release.
+ * See https://docs.github.com/en/rest/releases/releases#get-a-release for example response and response schema.
+ *
+ * This type must match the format of the GitHub API and is not intended to be used outside of this file except for tests. Please use the `ReleaseAsset` type instead.
+ */
+interface GithubReleaseAsset {
+  id: number;
+  name: string;
+  size: number;
+}

extensions/ql-vscode/src/codeql-cli/query-language.ts

@@ -1,5 +1,6 @@
-import { CodeQLCliServer } from "./cli";
-import { Uri, window } from "vscode";
+import type { CodeQLCliServer } from "./cli";
+import type { Uri } from "vscode";
+import { window } from "vscode";
 import {
   getLanguageDisplayName,
   isQueryLanguage,
@@ -62,7 +63,7 @@ export async function askForLanguage(
     .sort((a, b) => a.label.localeCompare(b.label));
 
   const selectedItem = await window.showQuickPick(items, {
-    placeHolder: "Select target language for your query",
+    placeHolder: "Select target query language",
     ignoreFocusOut: true,
   });
   if (!selectedItem) {

extensions/ql-vscode/src/codeql-cli/query-metadata.ts

@@ -1,5 +1,5 @@
-import { CodeQLCliServer } from "./cli";
-import { QueryMetadata } from "../common/interface-types";
+import type { CodeQLCliServer } from "./cli";
+import type { QueryMetadata } from "../common/interface-types";
 import { extLogger } from "../common/logging/vscode";
 
 /**

extensions/ql-vscode/src/common/app.ts

@@ -1,10 +1,10 @@
-import { Credentials } from "./authentication";
-import { Disposable } from "./disposable-object";
-import { AppEventEmitter } from "./events";
-import { NotificationLogger } from "./logging";
-import { Memento } from "./memento";
-import { AppCommandManager } from "./commands";
-import { AppTelemetry } from "./telemetry";
+import type { Credentials } from "./authentication";
+import type { Disposable } from "./disposable-object";
+import type { AppEventEmitter } from "./events";
+import type { NotificationLogger } from "./logging";
+import type { Memento } from "./memento";
+import type { AppCommandManager } from "./commands";
+import type { AppTelemetry } from "./telemetry";
 
 export interface App {
   createEventEmitter<T>(): AppEventEmitter<T>;

extensions/ql-vscode/src/common/authentication.ts

@@ -1,4 +1,4 @@
-import * as Octokit from "@octokit/rest";
+import type { Octokit } from "@octokit/rest";
 
 /**
  * An interface providing methods for obtaining access tokens
@@ -12,7 +12,7 @@ export interface Credentials {
    *
    * @returns An instance of Octokit.
    */
-  getOctokit(): Promise<Octokit.Octokit>;
+  getOctokit(): Promise<Octokit>;
 
   /**
    * Returns an OAuth access token.

extensions/ql-vscode/src/common/bqrs-cli-types.ts

@@ -4,7 +4,7 @@
  * the "for the sake of extensibility" comment in messages.ts.
  */
 // eslint-disable-next-line @typescript-eslint/no-namespace
-export namespace ColumnKindCode {
+export namespace BqrsColumnKindCode {
   export const FLOAT = "f";
   export const INTEGER = "i";
   export const STRING = "s";
@@ -13,55 +13,44 @@ export namespace ColumnKindCode {
   export const ENTITY = "e";
 }
 
-type ColumnKind =
-  | typeof ColumnKindCode.FLOAT
-  | typeof ColumnKindCode.INTEGER
-  | typeof ColumnKindCode.STRING
-  | typeof ColumnKindCode.BOOLEAN
-  | typeof ColumnKindCode.DATE
-  | typeof ColumnKindCode.ENTITY;
+export type BqrsColumnKind =
+  | typeof BqrsColumnKindCode.FLOAT
+  | typeof BqrsColumnKindCode.INTEGER
+  | typeof BqrsColumnKindCode.STRING
+  | typeof BqrsColumnKindCode.BOOLEAN
+  | typeof BqrsColumnKindCode.DATE
+  | typeof BqrsColumnKindCode.ENTITY;
 
-export interface Column {
+export interface BqrsSchemaColumn {
   name?: string;
-  kind: ColumnKind;
+  kind: BqrsColumnKind;
 }
 
-export interface ResultSetSchema {
+export interface BqrsResultSetSchema {
   name: string;
   rows: number;
-  columns: Column[];
-  pagination?: PaginationInfo;
+  columns: BqrsSchemaColumn[];
+  pagination?: BqrsPaginationInfo;
 }
 
-export function getResultSetSchema(
-  resultSetName: string,
-  resultSets: BQRSInfo,
-): ResultSetSchema | undefined {
-  for (const schema of resultSets["result-sets"]) {
-    if (schema.name === resultSetName) {
-      return schema;
-    }
-  }
-  return undefined;
-}
-interface PaginationInfo {
+interface BqrsPaginationInfo {
   "step-size": number;
   offsets: number[];
 }
 
-export interface BQRSInfo {
-  "result-sets": ResultSetSchema[];
+export interface BqrsInfo {
+  "result-sets": BqrsResultSetSchema[];
 }
 
 export type BqrsId = number;
 
-export interface EntityValue {
-  url?: UrlValue;
+export interface BqrsEntityValue {
+  url?: BqrsUrlValue;
   label?: string;
   id?: BqrsId;
 }
 
-export interface LineColumnLocation {
+export interface BqrsLineColumnLocation {
   uri: string;
   startLine: number;
   startColumn: number;
@@ -69,7 +58,7 @@ export interface LineColumnLocation {
   endColumn: number;
 }
 
-export interface WholeFileLocation {
+export interface BqrsWholeFileLocation {
   uri: string;
   startLine: never;
   startColumn: never;
@@ -77,37 +66,17 @@ export interface WholeFileLocation {
   endColumn: never;
 }
 
-export type ResolvableLocationValue = WholeFileLocation | LineColumnLocation;
+export type BqrsUrlValue =
+  | BqrsWholeFileLocation
+  | BqrsLineColumnLocation
+  | string;
 
-export type UrlValue = ResolvableLocationValue | string;
-
-export type CellValue = EntityValue | number | string | boolean;
-
-export type ResultRow = CellValue[];
-
-export interface RawResultSet {
-  readonly schema: ResultSetSchema;
-  readonly rows: readonly ResultRow[];
-}
-
-// TODO: This function is not necessary. It generates a tuple that is slightly easier
-// to handle than the ResultSetSchema and DecodedBqrsChunk. But perhaps it is unnecessary
-// boilerplate.
-export function transformBqrsResultSet(
-  schema: ResultSetSchema,
-  page: DecodedBqrsChunk,
-): RawResultSet {
-  return {
-    schema,
-    rows: Array.from(page.tuples),
-  };
-}
+export type BqrsCellValue = BqrsEntityValue | number | string | boolean;
 
 export type BqrsKind =
   | "String"
   | "Float"
   | "Integer"
-  | "String"
   | "Boolean"
   | "Date"
   | "Entity";
@@ -116,8 +85,9 @@ interface BqrsColumn {
   name?: string;
   kind: BqrsKind;
 }
+
 export interface DecodedBqrsChunk {
-  tuples: CellValue[][];
+  tuples: BqrsCellValue[][];
   next?: number;
   columns: BqrsColumn[];
 }

extensions/ql-vscode/src/common/bqrs-raw-results-mapper.ts

@@ -0,0 +1,216 @@
+import type {
+  BqrsCellValue as BqrsCellValue,
+  BqrsColumnKind as BqrsColumnKind,
+  DecodedBqrsChunk,
+  BqrsEntityValue as BqrsEntityValue,
+  BqrsLineColumnLocation,
+  BqrsResultSetSchema,
+  BqrsUrlValue as BqrsUrlValue,
+  BqrsWholeFileLocation,
+  BqrsSchemaColumn,
+} from "./bqrs-cli-types";
+import { BqrsColumnKindCode } from "./bqrs-cli-types";
+import type {
+  CellValue,
+  Column,
+  EntityValue,
+  RawResultSet,
+  Row,
+  UrlValue,
+  UrlValueResolvable,
+} from "./raw-result-types";
+import { ColumnKind } from "./raw-result-types";
+import { assertNever } from "./helpers-pure";
+import { isEmptyPath } from "./bqrs-utils";
+
+export function bqrsToResultSet(
+  schema: BqrsResultSetSchema,
+  chunk: DecodedBqrsChunk,
+): RawResultSet {
+  const name = schema.name;
+  const totalRowCount = schema.rows;
+
+  const columns = schema.columns.map(mapColumn);
+
+  const rows = chunk.tuples.map(
+    (tuple): Row => tuple.map((cell): CellValue => mapCellValue(cell)),
+  );
+
+  const resultSet: RawResultSet = {
+    name,
+    totalRowCount,
+    columns,
+    rows,
+  };
+
+  if (chunk.next) {
+    resultSet.nextPageOffset = chunk.next;
+  }
+
+  return resultSet;
+}
+
+function mapColumn(column: BqrsSchemaColumn): Column {
+  const result: Column = {
+    kind: mapColumnKind(column.kind),
+  };
+
+  if (column.name) {
+    result.name = column.name;
+  }
+
+  return result;
+}
+
+function mapColumnKind(kind: BqrsColumnKind): ColumnKind {
+  switch (kind) {
+    case BqrsColumnKindCode.STRING:
+      return ColumnKind.String;
+    case BqrsColumnKindCode.FLOAT:
+      return ColumnKind.Float;
+    case BqrsColumnKindCode.INTEGER:
+      return ColumnKind.Integer;
+    case BqrsColumnKindCode.BOOLEAN:
+      return ColumnKind.Boolean;
+    case BqrsColumnKindCode.DATE:
+      return ColumnKind.Date;
+    case BqrsColumnKindCode.ENTITY:
+      return ColumnKind.Entity;
+    default:
+      assertNever(kind);
+  }
+}
+
+function mapCellValue(cellValue: BqrsCellValue): CellValue {
+  switch (typeof cellValue) {
+    case "string":
+      return {
+        type: "string",
+        value: cellValue,
+      };
+    case "number":
+      return {
+        type: "number",
+        value: cellValue,
+      };
+    case "boolean":
+      return {
+        type: "boolean",
+        value: cellValue,
+      };
+    case "object":
+      return {
+        type: "entity",
+        value: mapEntityValue(cellValue),
+      };
+  }
+}
+
+function mapEntityValue(cellValue: BqrsEntityValue): EntityValue {
+  const result: EntityValue = {};
+
+  if (cellValue.id) {
+    result.id = cellValue.id;
+  }
+  if (cellValue.label) {
+    result.label = cellValue.label;
+  }
+  if (cellValue.url) {
+    result.url = mapUrlValue(cellValue.url);
+  }
+
+  return result;
+}
+
+export function mapUrlValue(urlValue: BqrsUrlValue): UrlValue | undefined {
+  if (typeof urlValue === "string") {
+    const location = tryGetLocationFromString(urlValue);
+    if (location !== undefined) {
+      return location;
+    }
+
+    return {
+      type: "string",
+      value: urlValue,
+    };
+  }
+
+  if (isWholeFileLoc(urlValue)) {
+    return {
+      type: "wholeFileLocation",
+      uri: urlValue.uri,
+    };
+  }
+
+  if (isLineColumnLoc(urlValue)) {
+    return {
+      type: "lineColumnLocation",
+      uri: urlValue.uri,
+      startLine: urlValue.startLine,
+      startColumn: urlValue.startColumn,
+      endLine: urlValue.endLine,
+      endColumn: urlValue.endColumn,
+    };
+  }
+
+  return undefined;
+}
+
+function isLineColumnLoc(loc: BqrsUrlValue): loc is BqrsLineColumnLocation {
+  return (
+    typeof loc !== "string" &&
+    !isEmptyPath(loc.uri) &&
+    "startLine" in loc &&
+    "startColumn" in loc &&
+    "endLine" in loc &&
+    "endColumn" in loc
+  );
+}
+
+function isWholeFileLoc(loc: BqrsUrlValue): loc is BqrsWholeFileLocation {
+  return (
+    typeof loc !== "string" && !isEmptyPath(loc.uri) && !isLineColumnLoc(loc)
+  );
+}
+
+/**
+ * The CodeQL filesystem libraries use this pattern in `getURL()` predicates
+ * to describe the location of an entire filesystem resource.
+ * Such locations appear as `StringLocation`s instead of `FivePartLocation`s.
+ *
+ * Folder resources also get similar URLs, but with the `folder` scheme.
+ * They are deliberately ignored here, since there is no suitable location to show the user.
+ */
+const FILE_LOCATION_REGEX = /file:\/\/(.+):([0-9]+):([0-9]+):([0-9]+):([0-9]+)/;
+
+function tryGetLocationFromString(loc: string): UrlValueResolvable | undefined {
+  const matches = FILE_LOCATION_REGEX.exec(loc);
+  if (matches && matches.length > 1 && matches[1]) {
+    if (isWholeFileMatch(matches)) {
+      return {
+        type: "wholeFileLocation",
+        uri: matches[1],
+      };
+    } else {
+      return {
+        type: "lineColumnLocation",
+        uri: matches[1],
+        startLine: Number(matches[2]),
+        startColumn: Number(matches[3]),
+        endLine: Number(matches[4]),
+        endColumn: Number(matches[5]),
+      };
+    }
+  }
+
+  return undefined;
+}
+
+function isWholeFileMatch(matches: RegExpExecArray): boolean {
+  return (
+    matches[2] === "0" &&
+    matches[3] === "0" &&
+    matches[4] === "0" &&
+    matches[5] === "0"
+  );
+}

extensions/ql-vscode/src/common/bqrs-utils.ts

@@ -1,111 +1,21 @@
-import {
-  UrlValue,
-  ResolvableLocationValue,
-  LineColumnLocation,
-  WholeFileLocation,
-} from "./bqrs-cli-types";
 import { createRemoteFileRef } from "../common/location-link-utils";
-
-/**
- * The CodeQL filesystem libraries use this pattern in `getURL()` predicates
- * to describe the location of an entire filesystem resource.
- * Such locations appear as `StringLocation`s instead of `FivePartLocation`s.
- *
- * Folder resources also get similar URLs, but with the `folder` scheme.
- * They are deliberately ignored here, since there is no suitable location to show the user.
- */
-const FILE_LOCATION_REGEX = /file:\/\/(.+):([0-9]+):([0-9]+):([0-9]+):([0-9]+)/;
-/**
- * Gets a resolvable source file location for the specified `LocationValue`, if possible.
- * @param loc The location to test.
- */
-export function tryGetResolvableLocation(
-  loc: UrlValue | undefined,
-): ResolvableLocationValue | undefined {
-  let resolvedLoc;
-  if (loc === undefined) {
-    resolvedLoc = undefined;
-  } else if (isWholeFileLoc(loc) || isLineColumnLoc(loc)) {
-    resolvedLoc = loc as ResolvableLocationValue;
-  } else if (isStringLoc(loc)) {
-    resolvedLoc = tryGetLocationFromString(loc);
-  } else {
-    resolvedLoc = undefined;
-  }
-
-  return resolvedLoc;
-}
-
-export function tryGetLocationFromString(
-  loc: string,
-): ResolvableLocationValue | undefined {
-  const matches = FILE_LOCATION_REGEX.exec(loc);
-  if (matches && matches.length > 1 && matches[1]) {
-    if (isWholeFileMatch(matches)) {
-      return {
-        uri: matches[1],
-      } as WholeFileLocation;
-    } else {
-      return {
-        uri: matches[1],
-        startLine: Number(matches[2]),
-        startColumn: Number(matches[3]),
-        endLine: Number(matches[4]),
-        endColumn: Number(matches[5]),
-      };
-    }
-  } else {
-    return undefined;
-  }
-}
-
-function isWholeFileMatch(matches: RegExpExecArray): boolean {
-  return (
-    matches[2] === "0" &&
-    matches[3] === "0" &&
-    matches[4] === "0" &&
-    matches[5] === "0"
-  );
-}
+import type { UrlValue } from "./raw-result-types";
+import { isUrlValueResolvable } from "./raw-result-types";
 
 /**
  * Checks whether the file path is empty. If so, we do not want to render this location
  * as a link.
- *
- * @param uri A file uri
  */
 export function isEmptyPath(uriStr: string) {
   return !uriStr || uriStr === "file:/";
 }
 
-export function isLineColumnLoc(loc: UrlValue): loc is LineColumnLocation {
-  return (
-    typeof loc !== "string" &&
-    !isEmptyPath(loc.uri) &&
-    "startLine" in loc &&
-    "startColumn" in loc &&
-    "endLine" in loc &&
-    "endColumn" in loc
-  );
-}
-
-export function isWholeFileLoc(loc: UrlValue): loc is WholeFileLocation {
-  return (
-    typeof loc !== "string" && !isEmptyPath(loc.uri) && !isLineColumnLoc(loc)
-  );
-}
-
-export function isStringLoc(loc: UrlValue): loc is string {
-  return typeof loc === "string";
-}
-
 export function tryGetRemoteLocation(
   loc: UrlValue | undefined,
   fileLinkPrefix: string,
   sourceLocationPrefix: string | undefined,
 ): string | undefined {
-  const resolvableLocation = tryGetResolvableLocation(loc);
-  if (!resolvableLocation) {
+  if (!loc || !isUrlValueResolvable(loc)) {
     return undefined;
   }
 
@@ -115,22 +25,19 @@ export function tryGetRemoteLocation(
   // "file:${sourceLocationPrefix}/relative/path/to/file"
   // So we need to strip off the first part to get the relative path.
   if (sourceLocationPrefix) {
-    if (!resolvableLocation.uri.startsWith(`file:${sourceLocationPrefix}/`)) {
+    if (!loc.uri.startsWith(`file:${sourceLocationPrefix}/`)) {
       return undefined;
     }
-    trimmedLocation = resolvableLocation.uri.replace(
-      `file:${sourceLocationPrefix}/`,
-      "",
-    );
+    trimmedLocation = loc.uri.replace(`file:${sourceLocationPrefix}/`, "");
   } else {
     // If the source location prefix is empty (e.g. for older remote queries), we assume that the database
     // was created on a Linux actions runner and has the format:
     // "file:/home/runner/work/<repo>/<repo>/relative/path/to/file"
     // So we need to drop the first 6 parts of the path.
-    if (!resolvableLocation.uri.startsWith("file:/home/runner/work/")) {
+    if (!loc.uri.startsWith("file:/home/runner/work/")) {
       return undefined;
     }
-    const locationParts = resolvableLocation.uri.split("/");
+    const locationParts = loc.uri.split("/");
     trimmedLocation = locationParts.slice(6, locationParts.length).join("/");
   }
 
@@ -138,11 +45,16 @@ export function tryGetRemoteLocation(
     fileLinkPrefix,
     filePath: trimmedLocation,
   };
+
+  if (loc.type === "wholeFileLocation") {
+    return createRemoteFileRef(fileLink);
+  }
+
   return createRemoteFileRef(
     fileLink,
-    resolvableLocation.startLine,
-    resolvableLocation.endLine,
-    resolvableLocation.startColumn,
-    resolvableLocation.endColumn,
+    loc.startLine,
+    loc.endLine,
+    loc.startColumn,
+    loc.endColumn,
   );
 }

extensions/ql-vscode/src/common/bytes.ts

@@ -0,0 +1,3 @@
+export function readableBytesMb(numBytes: number): string {
+  return `${(numBytes / (1024 * 1024)).toFixed(1)} MB`;
+}

extensions/ql-vscode/src/common/commands.ts

@@ -1,10 +1,9 @@
 import type { CommandManager } from "../packages/commands";
-import type { Uri, Range, TextDocumentShowOptions } from "vscode";
+import type { Uri, Range, TextDocumentShowOptions, TestItem } from "vscode";
 import type { AstItem } from "../language-support";
 import type { DbTreeViewItem } from "../databases/ui/db-tree-view-item";
 import type { DatabaseItem } from "../databases/local-databases";
 import type { QueryHistoryInfo } from "../query-history/query-history-info";
-import type { TestTreeNode } from "../query-testing/test-tree-node";
 import type {
   VariantAnalysis,
   VariantAnalysisScannedRepository,
@@ -146,6 +145,7 @@ export type LocalQueryCommands = {
   "codeQL.quickQuery": () => Promise<void>;
   "codeQL.getCurrentQuery": () => Promise<string>;
   "codeQL.createQuery": () => Promise<void>;
+  "codeQLQuickQuery.createQuery": () => Promise<void>;
 };
 
 // Debugger commands
@@ -275,9 +275,11 @@ export type VariantAnalysisCommands = {
   "codeQL.openVariantAnalysisView": (
     variantAnalysisId: number,
   ) => Promise<void>;
-  "codeQL.runVariantAnalysis": (uri?: Uri) => Promise<void>;
-  "codeQL.runVariantAnalysisContextEditor": (uri?: Uri) => Promise<void>;
+  "codeQL.runVariantAnalysis": () => Promise<void>;
+  "codeQL.runVariantAnalysisContextEditor": (uri: Uri) => Promise<void>;
+  "codeQL.runVariantAnalysisContextExplorer": ExplorerSelectionCommandFunction<Uri>;
   "codeQLQueries.runVariantAnalysisContextMenu": TreeViewContextSingleSelectionCommandFunction<QueryTreeViewItem>;
+  "codeQL.runVariantAnalysisPublishedPack": () => Promise<void>;
 };
 
 export type DatabasePanelCommands = {
@@ -333,11 +335,9 @@ export type SummaryLanguageSupportCommands = {
 };
 
 export type TestUICommands = {
-  "codeQLTests.showOutputDifferences": (node: TestTreeNode) => Promise<void>;
-  "codeQLTests.acceptOutput": (node: TestTreeNode) => Promise<void>;
-  "codeQLTests.acceptOutputContextTestItem": (
-    node: TestTreeNode,
-  ) => Promise<void>;
+  "codeQLTests.showOutputDifferences": (node: TestItem) => Promise<void>;
+  "codeQLTests.acceptOutput": (node: TestItem) => Promise<void>;
+  "codeQLTests.acceptOutputContextTestItem": (node: TestItem) => Promise<void>;
 };
 
 export type MockGitHubApiServerCommands = {

extensions/ql-vscode/src/common/discovery.ts

@@ -1,6 +1,6 @@
 import { DisposableObject } from "./disposable-object";
 import { getErrorMessage } from "./helpers-pure";
-import { Logger } from "./logging";
+import type { BaseLogger } from "./logging";
 
 /**
  * Base class for "discovery" operations, which scan the file system to find specific kinds of
@@ -13,7 +13,7 @@ export abstract class Discovery extends DisposableObject {
 
   constructor(
     protected readonly name: string,
-    private readonly logger: Logger,
+    protected readonly logger: BaseLogger,
   ) {
     super();
   }

extensions/ql-vscode/src/common/disposable-object.ts

@@ -1,7 +1,7 @@
 // Avoid explicitly referencing Disposable type in vscode.
 // This file cannot have dependencies on the vscode API.
 export interface Disposable {
-  dispose(): any;
+  dispose(): unknown;
 }
 
 export type DisposeHandler = (disposable: Disposable) => void;

extensions/ql-vscode/src/common/distribution.ts

@@ -1,7 +1,4 @@
 import { platform } from "os";
-import { Open } from "unzipper";
-import { join } from "path";
-import { pathExists, chmod } from "fs-extra";
 
 /**
  * Get the name of the codeql cli installation we prefer to install, based on our current platform.
@@ -19,31 +16,6 @@ export function getRequiredAssetName(): string {
   }
 }
 
-export async function extractZipArchive(
-  archivePath: string,
-  outPath: string,
-): Promise<void> {
-  const archive = await Open.file(archivePath);
-  await archive.extract({
-    concurrency: 4,
-    path: outPath,
-  });
-  // Set file permissions for extracted files
-  await Promise.all(
-    archive.files.map(async (file) => {
-      // Only change file permissions if within outPath (path.join normalises the path)
-      const extractedPath = join(outPath, file.path);
-      if (
-        extractedPath.indexOf(outPath) !== 0 ||
-        !(await pathExists(extractedPath))
-      ) {
-        return Promise.resolve();
-      }
-      return chmod(extractedPath, file.externalFileAttributes >>> 16);
-    }),
-  );
-}
-
 export function codeQlLauncherName(): string {
   return platform() === "win32" ? "codeql.exe" : "codeql";
 }

extensions/ql-vscode/src/common/errors.ts

@@ -84,12 +84,13 @@ export interface ErrorLike {
   stack?: string;
 }
 
-function isErrorLike(error: any): error is ErrorLike {
-  if (
+function isErrorLike(error: unknown): error is ErrorLike {
+  return (
+    error !== undefined &&
+    error !== null &&
+    typeof error === "object" &&
+    "message" in error &&
     typeof error.message === "string" &&
-    (error.stack === undefined || typeof error.stack === "string")
-  ) {
-    return true;
-  }
-  return false;
+    (!("stack" in error) || typeof error.stack === "string")
+  );
 }

extensions/ql-vscode/src/common/events.ts

@@ -1,4 +1,4 @@
-import { Disposable } from "./disposable-object";
+import type { Disposable } from "./disposable-object";
 
 export interface AppEvent<T> {
   (listener: (event: T) => void): Disposable;

extensions/ql-vscode/src/common/fetch-stream.ts

@@ -0,0 +1,36 @@
+import { clearTimeout } from "node:timers";
+
+export function createTimeoutSignal(timeoutSeconds: number): {
+  signal: AbortSignal;
+  onData: () => void;
+  dispose: () => void;
+} {
+  const timeout = timeoutSeconds * 1000;
+
+  const abortController = new AbortController();
+
+  let timeoutId: NodeJS.Timeout;
+
+  // If we don't get any data within the timeout, abort the download
+  timeoutId = setTimeout(() => {
+    abortController.abort();
+  }, timeout);
+
+  // If we receive any data within the timeout, reset the timeout
+  const onData = () => {
+    clearTimeout(timeoutId);
+    timeoutId = setTimeout(() => {
+      abortController.abort();
+    }, timeout);
+  };
+
+  const dispose = () => {
+    clearTimeout(timeoutId);
+  };
+
+  return {
+    signal: abortController.signal,
+    onData,
+    dispose,
+  };
+}

extensions/ql-vscode/src/common/file-tree-nodes.ts

@@ -1,5 +1,5 @@
 import { basename, dirname, join } from "path";
-import { EnvironmentContext } from "./app";
+import type { EnvironmentContext } from "./app";
 
 /**
  * A node in the tree of files. This will be either a `FileTreeDirectory` or a `FileTreeLeaf`.

extensions/ql-vscode/src/common/files.ts

@@ -1,5 +1,5 @@
-import { pathExists, stat, readdir, opendir } from "fs-extra";
-import { isAbsolute, join, relative, resolve } from "path";
+import { pathExists, stat, readdir, opendir, lstatSync } from "fs-extra";
+import { dirname, isAbsolute, join, relative, resolve } from "path";
 import { tmpdir as osTmpdir } from "os";
 
 /**
@@ -91,18 +91,23 @@ export async function readDirFullPaths(path: string): Promise<string[]> {
  * Symbolic links are ignored.
  *
  * @param dir the directory to walk
+ * @param includeDirectories whether to include directories in the results
  *
  * @return An iterator of the full path to all files recursively found in the directory.
  */
 export async function* walkDirectory(
   dir: string,
+  includeDirectories = false,
 ): AsyncIterableIterator<string> {
   const seenFiles = new Set<string>();
   for await (const d of await opendir(dir)) {
     const entry = join(dir, d.name);
     seenFiles.add(entry);
     if (d.isDirectory()) {
-      yield* walkDirectory(entry);
+      if (includeDirectories) {
+        yield entry;
+      }
+      yield* walkDirectory(entry, includeDirectories);
     } else if (d.isFile()) {
       yield entry;
     }
@@ -119,11 +124,55 @@ export interface IOError {
   readonly code: string;
 }
 
-export function isIOError(e: any): e is IOError {
-  return e.code !== undefined && typeof e.code === "string";
+export function isIOError(e: unknown): e is IOError {
+  return (
+    e !== undefined &&
+    e !== null &&
+    typeof e === "object" &&
+    "code" in e &&
+    typeof e.code === "string"
+  );
 }
 
 // This function is a wrapper around `os.tmpdir()` to make it easier to mock in tests.
 export function tmpdir(): string {
   return osTmpdir();
 }
+
+/**
+ * Finds the common parent directory of an arbitrary number of absolute paths. The result
+ * will be an absolute path.
+ * @param paths The array of paths.
+ * @returns The common parent directory of the paths.
+ */
+export function findCommonParentDir(...paths: string[]): string {
+  if (paths.length === 0) {
+    throw new Error("At least one path must be provided");
+  }
+  if (paths.some((path) => !isAbsolute(path))) {
+    throw new Error("All paths must be absolute");
+  }
+
+  paths = paths.map((path) => normalizePath(path));
+
+  // If there's only one path and it's a file, return its dirname
+  if (paths.length === 1) {
+    return lstatSync(paths[0]).isFile() ? dirname(paths[0]) : paths[0];
+  }
+
+  let commonDir = paths[0];
+  while (!paths.every((path) => containsPath(commonDir, path))) {
+    if (isTopLevelPath(commonDir)) {
+      throw new Error(
+        "Reached filesystem root and didn't find a common parent directory",
+      );
+    }
+    commonDir = dirname(commonDir);
+  }
+
+  return commonDir;
+}
+
+function isTopLevelPath(path: string): boolean {
+  return dirname(path) === path;
+}

extensions/ql-vscode/src/common/helpers-pure.ts

@@ -7,6 +7,18 @@
 
 import { RedactableError } from "./errors";
 
+// Matches any type that is not an array. This is useful to help avoid
+// nested arrays, or for cases like createSingleSelectionCommand to avoid T
+// accidentally getting instantiated as DatabaseItem[] instead of DatabaseItem.
+export type NotArray =
+  | string
+  | bigint
+  | number
+  | boolean
+  | (object & {
+      length?: never;
+    });
+
 /**
  * This error is used to indicate a runtime failure of an exhaustivity check enforced at compile time.
  */
@@ -27,26 +39,26 @@ export function assertNever(value: never): never {
 /**
  * Use to perform array filters where the predicate is asynchronous.
  */
-export const asyncFilter = async function <T>(
+export async function asyncFilter<T>(
   arr: T[],
   predicate: (arg0: T) => Promise<boolean>,
 ) {
   const results = await Promise.all(arr.map(predicate));
   return arr.filter((_, index) => results[index]);
-};
+}
 
 /**
  * This regex matches strings of the form `owner/repo` where:
  * - `owner` is made up of alphanumeric characters, hyphens, underscores, or periods
  * - `repo` is made up of alphanumeric characters, hyphens, underscores, or periods
  */
-export const REPO_REGEX = /^[a-zA-Z0-9-_\.]+\/[a-zA-Z0-9-_\.]+$/;
+export const REPO_REGEX = /^[a-zA-Z0-9-_.]+\/[a-zA-Z0-9-_.]+$/;
 
 /**
  * This regex matches GiHub organization and user strings. These are made up for alphanumeric
  * characters, hyphens, underscores or periods.
  */
-export const OWNER_REGEX = /^[a-zA-Z0-9-_\.]+$/;
+export const OWNER_REGEX = /^[a-zA-Z0-9-_.]+$/;
 
 export function getErrorMessage(e: unknown): string {
   if (e instanceof RedactableError) {

extensions/ql-vscode/src/common/interface-types.ts

@@ -1,30 +1,31 @@
-import * as sarif from "sarif";
-import {
-  RawResultSet,
-  ResultRow,
-  ResultSetSchema,
-  Column,
-  ResolvableLocationValue,
-} from "../common/bqrs-cli-types";
-import {
+import type { Log, Result } from "sarif";
+import type {
   VariantAnalysis,
   VariantAnalysisScannedRepositoryResult,
   VariantAnalysisScannedRepositoryState,
 } from "../variant-analysis/shared/variant-analysis";
-import {
+import type {
   RepositoriesFilterSortState,
   RepositoriesFilterSortStateWithIds,
 } from "../variant-analysis/shared/variant-analysis-filter-sort";
-import { ErrorLike } from "../common/errors";
-import { DataFlowPaths } from "../variant-analysis/shared/data-flow-paths";
-import { Method } from "../model-editor/method";
-import { ModeledMethod } from "../model-editor/modeled-method";
-import {
+import type { ErrorLike } from "../common/errors";
+import type { DataFlowPaths } from "../variant-analysis/shared/data-flow-paths";
+import type { Method } from "../model-editor/method";
+import type { ModeledMethod } from "../model-editor/modeled-method";
+import type {
   MethodModelingPanelViewState,
   ModelEditorViewState,
 } from "../model-editor/shared/view-state";
-import { Mode } from "../model-editor/shared/mode";
-import { QueryLanguage } from "./query-language";
+import type { Mode } from "../model-editor/shared/mode";
+import type { QueryLanguage } from "./query-language";
+import type {
+  Column,
+  RawResultSet,
+  Row,
+  UrlValueResolvable,
+} from "./raw-result-types";
+import type { AccessPathSuggestionOptions } from "../model-editor/suggestions";
+import type { ModelEvaluationRunState } from "../model-editor/shared/model-evaluation-run-state";
 
 /**
  * This module contains types and code that are shared between
@@ -35,10 +36,13 @@ export const SELECT_TABLE_NAME = "#select";
 export const ALERTS_TABLE_NAME = "alerts";
 export const GRAPH_TABLE_NAME = "graph";
 
-export type RawTableResultSet = { t: "RawResultSet" } & RawResultSet;
-export type InterpretedResultSet<T> = {
+type RawTableResultSet = {
+  t: "RawResultSet";
+  resultSet: RawResultSet;
+};
+
+type InterpretedResultSet<T> = {
   t: "InterpretedResultSet";
-  readonly schema: ResultSetSchema;
   name: string;
   interpretation: InterpretationT<T>;
 };
@@ -74,7 +78,7 @@ export type SarifInterpretationData = {
    * they appear in the sarif file.
    */
   sortState?: InterpretedResultsSortState;
-} & sarif.Log;
+} & Log;
 
 export type GraphInterpretationData = {
   t: "GraphInterpretationData";
@@ -208,7 +212,7 @@ export type FromResultsViewMsg =
  */
 interface ViewSourceFileMsg {
   t: "viewSourceFile";
-  loc: ResolvableLocationValue;
+  loc: UrlValueResolvable;
   databaseUri: string;
 }
 
@@ -334,13 +338,15 @@ interface ChangeCompareMessage {
   newResultSetName: string;
 }
 
-export type ToCompareViewMessage = SetComparisonsMessage;
+export type ToCompareViewMessage =
+  | SetComparisonQueryInfoMessage
+  | SetComparisonsMessage;
 
 /**
- * Message to the compare view that specifies the query results to compare.
+ * Message to the compare view that sets the metadata of the compared queries.
  */
-export interface SetComparisonsMessage {
-  readonly t: "setComparisons";
+export interface SetComparisonQueryInfoMessage {
+  readonly t: "setComparisonQueryInfo";
   readonly stats: {
     fromQuery?: {
       name: string;
@@ -353,26 +359,44 @@ export interface SetComparisonsMessage {
       time: string;
     };
   };
-  readonly columns: readonly Column[];
-  readonly commonResultSetNames: string[];
-  readonly currentResultSetName: string;
-  readonly rows: QueryCompareResult | undefined;
-  readonly message: string | undefined;
   readonly databaseUri: string;
+  readonly commonResultSetNames: string[];
 }
 
+/**
+ * Message to the compare view that specifies the query results to compare.
+ */
+export interface SetComparisonsMessage {
+  readonly t: "setComparisons";
+  readonly currentResultSetName: string;
+  readonly result: QueryCompareResult | undefined;
+  readonly message: string | undefined;
+}
+
+export type QueryCompareResult =
+  | RawQueryCompareResult
+  | InterpretedQueryCompareResult;
+
 /**
  * from is the set of rows that have changes in the "from" query.
  * to is the set of rows that have changes in the "to" query.
- * They are in the same order, so element 1 in "from" corresponds to
- * element 1 in "to".
- *
- * If an array element is null, that means that the element was removed
- * (or added) in the comparison.
  */
-export type QueryCompareResult = {
-  from: ResultRow[];
-  to: ResultRow[];
+export type RawQueryCompareResult = {
+  kind: "raw";
+  columns: readonly Column[];
+  from: Row[];
+  to: Row[];
+};
+
+/**
+ * from is the set of results that have changes in the "from" query.
+ * to is the set of results that have changes in the "to" query.
+ */
+export type InterpretedQueryCompareResult = {
+  kind: "interpreted";
+  sourceLocationPrefix: string;
+  from: Result[];
+  to: Result[];
 };
 
 /**
@@ -505,9 +529,10 @@ interface SetMethodsMessage {
   methods: Method[];
 }
 
-interface SetModeledMethodsMessage {
-  t: "setModeledMethods";
+interface SetModeledAndModifiedMethodsMessage {
+  t: "setModeledAndModifiedMethods";
   methods: Record<string, ModeledMethod[]>;
+  modifiedMethodSignatures: string[];
 }
 
 interface SetModifiedMethodsMessage {
@@ -520,6 +545,11 @@ interface SetInProgressMethodsMessage {
   methods: string[];
 }
 
+interface SetProcessedByAutoModelMethodsMessage {
+  t: "setProcessedByAutoModelMethods";
+  methods: string[];
+}
+
 interface SwitchModeMessage {
   t: "switchMode";
   mode: Mode;
@@ -562,6 +592,14 @@ interface StopGeneratingMethodsFromLlmMessage {
   packageName: string;
 }
 
+interface StartModelEvaluationMessage {
+  t: "startModelEvaluation";
+}
+
+interface StopModelEvaluationMessage {
+  t: "stopModelEvaluation";
+}
+
 interface ModelDependencyMessage {
   t: "modelDependency";
 }
@@ -587,18 +625,36 @@ interface SetInProgressMessage {
   inProgress: boolean;
 }
 
+interface SetProcessedByAutoModelMessage {
+  t: "setProcessedByAutoModel";
+  processedByAutoModel: boolean;
+}
+
 interface RevealMethodMessage {
   t: "revealMethod";
   methodSignature: string;
 }
 
+interface SetAccessPathSuggestionsMessage {
+  t: "setAccessPathSuggestions";
+  accessPathSuggestions: AccessPathSuggestionOptions;
+}
+
+interface SetModelEvaluationRunMessage {
+  t: "setModelEvaluationRun";
+  run: ModelEvaluationRunState | undefined;
+}
+
 export type ToModelEditorMessage =
   | SetExtensionPackStateMessage
   | SetMethodsMessage
-  | SetModeledMethodsMessage
+  | SetModeledAndModifiedMethodsMessage
   | SetModifiedMethodsMessage
   | SetInProgressMethodsMessage
-  | RevealMethodMessage;
+  | SetProcessedByAutoModelMethodsMessage
+  | RevealMethodMessage
+  | SetAccessPathSuggestionsMessage
+  | SetModelEvaluationRunMessage;
 
 export type FromModelEditorMessage =
   | CommonFromViewMessages
@@ -613,7 +669,9 @@ export type FromModelEditorMessage =
   | StopGeneratingMethodsFromLlmMessage
   | ModelDependencyMessage
   | HideModeledMethodsMessage
-  | SetMultipleModeledMethodsMessage;
+  | SetMultipleModeledMethodsMessage
+  | StartModelEvaluationMessage
+  | StopModelEvaluationMessage;
 
 interface RevealInEditorMessage {
   t: "revealInModelEditor";
@@ -651,6 +709,7 @@ interface SetSelectedMethodMessage {
   modeledMethods: ModeledMethod[];
   isModified: boolean;
   isInProgress: boolean;
+  processedByAutoModel: boolean;
 }
 
 export type ToMethodModelingMessage =
@@ -660,4 +719,5 @@ export type ToMethodModelingMessage =
   | SetMethodModifiedMessage
   | SetSelectedMethodMessage
   | SetInModelingModeMessage
-  | SetInProgressMessage;
+  | SetInProgressMessage
+  | SetProcessedByAutoModelMessage;

extensions/ql-vscode/src/common/invocation-rate-limiter.ts

@@ -1,4 +1,4 @@
-import { Memento } from "./memento";
+import type { Memento } from "./memento";
 
 /**
  * Provides a utility method to invoke a function only if a minimum time interval has elapsed since

extensions/ql-vscode/src/common/jsonl-reader.ts

@@ -10,9 +10,9 @@ import { readFile } from "fs-extra";
  * @param path The path to the file.
  * @param handler Callback to be invoked for each top-level JSON object in order.
  */
-export async function readJsonlFile(
+export async function readJsonlFile<T>(
   path: string,
-  handler: (value: any) => Promise<void>,
+  handler: (value: T) => Promise<void>,
 ): Promise<void> {
   const logSummary = await readFile(path, "utf-8");
 
@@ -20,7 +20,7 @@ export async function readJsonlFile(
   const jsonSummaryObjects: string[] = logSummary.split(/\r?\n\r?\n/g);
 
   for (const obj of jsonSummaryObjects) {
-    const jsonObj = JSON.parse(obj);
+    const jsonObj = JSON.parse(obj) as T;
     await handler(jsonObj);
   }
 }

extensions/ql-vscode/src/common/location-link-utils.ts

@@ -1,4 +1,4 @@
-import { FileLink } from "../variant-analysis/shared/analysis-result";
+import type { FileLink } from "../variant-analysis/shared/analysis-result";
 
 export function createRemoteFileRef(
   fileLink: FileLink,

extensions/ql-vscode/src/common/logging/notification-logger.ts

@@ -1,4 +1,4 @@
-import { Logger } from "./logger";
+import type { Logger } from "./logger";
 
 export interface NotificationLogger extends Logger {
   showErrorMessage(message: string): Promise<void>;

extensions/ql-vscode/src/common/logging/notifications.ts

@@ -1,6 +1,6 @@
-import { NotificationLogger } from "./notification-logger";
-import { AppTelemetry } from "../telemetry";
-import { RedactableError } from "../errors";
+import type { NotificationLogger } from "./notification-logger";
+import type { AppTelemetry } from "../telemetry";
+import type { RedactableError } from "../errors";
 
 interface ShowAndLogOptions {
   /**

extensions/ql-vscode/src/common/logging/tee-logger.ts

@@ -1,7 +1,7 @@
 import { appendFile, ensureFile } from "fs-extra";
 import { isAbsolute } from "path";
 import { getErrorMessage } from "../helpers-pure";
-import { Logger, LogOptions } from "./logger";
+import type { Logger, LogOptions } from "./logger";
 
 /**
  * An implementation of {@link Logger} that sends the output both to another {@link Logger}

extensions/ql-vscode/src/common/logging/vscode/loggers.ts

@@ -11,7 +11,7 @@ export const extLogger = new OutputChannelLogger("CodeQL Extension Log");
 export const queryServerLogger = new OutputChannelLogger("CodeQL Query Server");
 
 // Logger for messages from the language server.
-export const ideServerLogger = new OutputChannelLogger(
+export const languageServerLogger = new OutputChannelLogger(
   "CodeQL Language Server",
 );
 

extensions/ql-vscode/src/common/logging/vscode/output-channel-logger.ts

@@ -1,7 +1,8 @@
-import { window as Window, OutputChannel, Progress } from "vscode";
-import { Logger, LogOptions } from "../logger";
+import type { OutputChannel, Progress } from "vscode";
+import { window as Window } from "vscode";
+import type { Logger, LogOptions } from "../logger";
 import { DisposableObject } from "../../disposable-object";
-import { NotificationLogger } from "../notification-logger";
+import type { NotificationLogger } from "../notification-logger";
 
 /**
  * A logger that writes messages to an output channel in the VS Code Output tab.
@@ -63,7 +64,7 @@ export class OutputChannelLogger
     message: string,
     show: (message: string, ...items: string[]) => Thenable<string | undefined>,
   ): Promise<void> {
-    const label = "Show Log";
+    const label = "View extension logs";
     const result = await show(message, label);
 
     if (result === label) {

extensions/ql-vscode/src/common/memento.ts

@@ -40,5 +40,5 @@ export interface Memento {
    * @param key A string.
    * @param value A value. MUST not contain cyclic references.
    */
-  update(key: string, value: any): Thenable<void>;
+  update<T>(key: string, value: T | undefined): Thenable<void>;
 }

extensions/ql-vscode/src/common/mock-gh-api/gh-api-request.ts

@@ -1,5 +1,5 @@
-import { Repository } from "../../variant-analysis/gh-api/repository";
-import {
+import type { Repository } from "../../variant-analysis/gh-api/repository";
+import type {
   VariantAnalysis,
   VariantAnalysisRepoTask,
 } from "../../variant-analysis/gh-api/variant-analysis";

extensions/ql-vscode/src/common/mock-gh-api/mock-gh-api-server.ts

@@ -1,6 +1,7 @@
 import { join, resolve } from "path";
 import { pathExists } from "fs-extra";
-import { setupServer, SetupServer } from "msw/node";
+import type { SetupServer } from "msw/node";
+import { setupServer } from "msw/node";
 
 import { DisposableObject } from "../disposable-object";
 

extensions/ql-vscode/src/common/mock-gh-api/recorder.ts

@@ -2,24 +2,24 @@ import { ensureDir, writeFile } from "fs-extra";
 import { join } from "path";
 
 import fetch from "node-fetch";
-import { SetupServer } from "msw/node";
+import type { SetupServer } from "msw/node";
 
 import { DisposableObject } from "../disposable-object";
 import { gzipDecode } from "../zlib";
 
-import {
+import type {
   AutoModelResponse,
   BasicErrorResponse,
   CodeSearchResponse,
   GetVariantAnalysisRepoResultRequest,
   GitHubApiRequest,
-  RequestKind,
 } from "./gh-api-request";
-import {
+import { RequestKind } from "./gh-api-request";
+import type {
   VariantAnalysis,
   VariantAnalysisRepoTask,
 } from "../../variant-analysis/gh-api/variant-analysis";
-import { Repository } from "../../variant-analysis/gh-api/repository";
+import type { Repository } from "../../variant-analysis/gh-api/repository";
 
 export class Recorder extends DisposableObject {
   private currentRecordedScenario: GitHubApiRequest[] = [];

extensions/ql-vscode/src/common/mock-gh-api/request-handlers.ts

@@ -1,8 +1,9 @@
 import { join } from "path";
 import { readdir, readJson, readFile } from "fs-extra";
-import { http, RequestHandler } from "msw";
+import type { RequestHandler } from "msw";
+import { http } from "msw";
+import type { GitHubApiRequest } from "./gh-api-request";
 import {
-  GitHubApiRequest,
   isAutoModelRequest,
   isCodeSearchRequest,
   isGetRepoRequest,

extensions/ql-vscode/src/common/mock-gh-api/vscode/vscode-mock-gh-api-server.ts

@@ -1,5 +1,6 @@
 import { pathExists } from "fs-extra";
-import { env, QuickPickItem, Uri, window } from "vscode";
+import type { QuickPickItem } from "vscode";
+import { env, Uri, window } from "vscode";
 
 import {
   getMockGitHubApiServerScenariosPath,
@@ -7,8 +8,9 @@ import {
 } from "../../../config";
 import { DisposableObject } from "../../disposable-object";
 import { MockGitHubApiServer } from "../mock-gh-api-server";
-import { MockGitHubApiServerCommands } from "../../commands";
-import { App, AppMode } from "../../app";
+import type { MockGitHubApiServerCommands } from "../../commands";
+import type { App } from "../../app";
+import { AppMode } from "../../app";
 import path from "path";
 
 /**

extensions/ql-vscode/src/common/octokit.ts

@@ -1,8 +1,8 @@
-import * as Octokit from "@octokit/rest";
+import { Octokit } from "@octokit/rest";
 import { retry } from "@octokit/plugin-retry";
 import fetch from "node-fetch";
 
-export const AppOctokit = Octokit.Octokit.defaults({
+export const AppOctokit = Octokit.defaults({
   request: {
     fetch,
   },

extensions/ql-vscode/src/common/ql.ts

@@ -1,4 +1,4 @@
-import { join } from "path";
+import { dirname, join, parse } from "path";
 import { pathExists } from "fs-extra";
 
 export const QLPACK_FILENAMES = ["qlpack.yml", "codeql-pack.yml"];
@@ -8,7 +8,13 @@ export const QLPACK_LOCK_FILENAMES = [
 ];
 export const FALLBACK_QLPACK_FILENAME = QLPACK_FILENAMES[0];
 
-export async function getQlPackPath(
+/**
+ * Gets the path to the QL pack file (a qlpack.yml or
+ * codeql-pack.yml).
+ * @param packRoot The root of the pack.
+ * @returns The path to the qlpack file, or undefined if it doesn't exist.
+ */
+export async function getQlPackFilePath(
   packRoot: string,
 ): Promise<string | undefined> {
   for (const filename of QLPACK_FILENAMES) {
@@ -21,3 +27,28 @@ export async function getQlPackPath(
 
   return undefined;
 }
+
+/**
+ * Recursively find the directory containing qlpack.yml or codeql-pack.yml. If
+ * no such directory is found, the directory containing the query file is returned.
+ * @param queryFile The query file to start from.
+ * @returns The path to the pack root or undefined if it doesn't exist.
+ */
+export async function findPackRoot(
+  queryFile: string,
+): Promise<string | undefined> {
+  let dir = dirname(queryFile);
+  while (!(await getQlPackFilePath(dir))) {
+    dir = dirname(dir);
+    if (isFileSystemRoot(dir)) {
+      return undefined;
+    }
+  }
+
+  return dir;
+}
+
+function isFileSystemRoot(dir: string): boolean {
+  const pathObj = parse(dir);
+  return pathObj.root === dir && pathObj.base === "";
+}

extensions/ql-vscode/src/common/qlpack-language.ts

@@ -0,0 +1,26 @@
+import { QueryLanguage } from "./query-language";
+import { loadQlpackFile } from "../packaging/qlpack-file-loader";
+
+/**
+ * @param qlpackPath The path to the `qlpack.yml` or `codeql-pack.yml` file.
+ * @return the language of the given qlpack file, or undefined if the file is
+ * not a valid qlpack file or does not contain exactly one language.
+ */
+export async function getQlPackLanguage(
+  qlpackPath: string,
+): Promise<QueryLanguage | undefined> {
+  const qlPack = await loadQlpackFile(qlpackPath);
+  const dependencies = qlPack?.dependencies;
+  if (!dependencies) {
+    return;
+  }
+
+  const matchingLanguages = Object.values(QueryLanguage).filter(
+    (language) => `codeql/${language}-all` in dependencies,
+  );
+  if (matchingLanguages.length !== 1) {
+    return undefined;
+  }
+
+  return matchingLanguages[0];
+}

extensions/ql-vscode/src/common/raw-result-types.ts

@@ -0,0 +1,90 @@
+export enum ColumnKind {
+  String = "string",
+  Float = "float",
+  Integer = "integer",
+  Boolean = "boolean",
+  Date = "date",
+  Entity = "entity",
+}
+
+export type Column = {
+  name?: string;
+  kind: ColumnKind;
+};
+
+type UrlValueString = {
+  type: "string";
+  value: string;
+};
+
+export type UrlValueWholeFileLocation = {
+  type: "wholeFileLocation";
+  uri: string;
+};
+
+export type UrlValueLineColumnLocation = {
+  type: "lineColumnLocation";
+  uri: string;
+  startLine: number;
+  startColumn: number;
+  endLine: number;
+  endColumn: number;
+};
+
+export type UrlValueResolvable =
+  | UrlValueWholeFileLocation
+  | UrlValueLineColumnLocation;
+
+export function isUrlValueResolvable(
+  value: UrlValue,
+): value is UrlValueResolvable {
+  return (
+    value.type === "wholeFileLocation" || value.type === "lineColumnLocation"
+  );
+}
+
+export type UrlValue = UrlValueString | UrlValueResolvable;
+
+export type EntityValue = {
+  url?: UrlValue;
+  label?: string;
+  id?: number;
+};
+
+type CellValueEntity = {
+  type: "entity";
+  value: EntityValue;
+};
+
+type CellValueNumber = {
+  type: "number";
+  value: number;
+};
+
+type CellValueString = {
+  type: "string";
+  value: string;
+};
+
+type CellValueBoolean = {
+  type: "boolean";
+  value: boolean;
+};
+
+export type CellValue =
+  | CellValueEntity
+  | CellValueNumber
+  | CellValueString
+  | CellValueBoolean;
+
+export type Row = CellValue[];
+
+export type RawResultSet = {
+  name: string;
+  totalRowCount: number;
+
+  columns: Column[];
+  rows: Row[];
+
+  nextPageOffset?: number;
+};

extensions/ql-vscode/src/common/readonly.ts

@@ -1,11 +1,12 @@
-export type DeepReadonly<T> = T extends Array<infer R>
-  ? DeepReadonlyArray<R>
-  : // eslint-disable-next-line @typescript-eslint/ban-types
-  T extends Function
-  ? T
-  : T extends object
-  ? DeepReadonlyObject<T>
-  : T;
+export type DeepReadonly<T> =
+  T extends Array<infer R>
+    ? DeepReadonlyArray<R>
+    : // eslint-disable-next-line @typescript-eslint/ban-types
+      T extends Function
+      ? T
+      : T extends object
+        ? DeepReadonlyObject<T>
+        : T;
 
 interface DeepReadonlyArray<T> extends ReadonlyArray<DeepReadonly<T>> {}