Prepare v2.26.0 release and upgrade bundled tool query packs#312
Merged
Conversation
Upgrade CodeQL CLI to v2.26.0 and re-resolve all bundled tool query packs against the 2.26.0 library set: actions-all 0.4.38, cpp-all 11.0.0, csharp-all 7.0.0, go-all 7.2.0, java-all 9.2.0, javascript-all 2.8.0, python-all 7.2.0, swift-all 6.7.1. Hold Ruby and Rust at their last-compatible versions (ruby-all 5.2.2, rust-all 0.2.15): ruby-all 6.0.0 and rust-all 0.2.16 depend on codeql/namebinding, which is not published to the public registry. Both still compile and test under 2.26.0. Make upgrade-packs.sh tolerant of unpublished upstream transitive deps: keep the affected pack on its last-known-good pin, record the skip, and continue instead of aborting the run. Bump all version-bearing files and lock files to 2.26.0 and regenerate package-lock.json. Cut the [v2.26.0] CHANGELOG entry (rolls up interim v2.25.5 and v2.25.6 CLI upgrades and backfills undocumented dependency bumps).
Contributor
Dependency ReviewThe following issues were found:
License Issuespackage-lock.json
OpenSSF Scorecard
Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
Prepares the repository for the v2.26.0 stable release by upgrading the pinned CodeQL CLI version and re-resolving the bundled per-language CodeQL tool query packs, alongside release documentation updates and a robustness improvement to the pack-upgrade workflow.
Changes:
- Bumped repo/server/extension versions to 2.26.0 and updated
.codeql-versionto v2.26.0. - Re-resolved and committed updated
codeql-pack.lock.ymlfiles across the bundled language tool packs (and JavaScript examples), including updated upstreamcodeql/*-allpins where applicable. - Updated
upgrade-packs.shto continue upgrades when a pack fails due to an unpublished transitive dependency (skipping and reporting those packs instead of aborting).
Show a summary per file
| File | Description |
|---|---|
| server/src/codeql-development-mcp-server.ts | Updates the server’s reported version constant to 2.26.0. |
| server/scripts/upgrade-packs.sh | Adds “skip and continue” behavior for pack upgrades blocked by unpublished transitive dependencies. |
| server/ql/swift/tools/test/codeql-pack.yml | Bumps Swift tools test pack version to 2.26.0. |
| server/ql/swift/tools/test/codeql-pack.lock.yml | Updates resolved Swift test-pack dependencies for the new CLI/library set. |
| server/ql/swift/tools/src/codeql-pack.yml | Bumps Swift tools src pack version and codeql/swift-all dependency. |
| server/ql/swift/tools/src/codeql-pack.lock.yml | Updates resolved Swift src-pack dependencies for the new CLI/library set. |
| server/ql/rust/tools/test/codeql-pack.yml | Bumps Rust tools test pack version to 2.26.0. |
| server/ql/rust/tools/src/codeql-pack.yml | Bumps Rust tools src pack version to 2.26.0. |
| server/ql/ruby/tools/test/codeql-pack.yml | Bumps Ruby tools test pack version to 2.26.0. |
| server/ql/ruby/tools/src/codeql-pack.yml | Bumps Ruby tools src pack version to 2.26.0. |
| server/ql/python/tools/test/codeql-pack.yml | Bumps Python tools test pack version to 2.26.0. |
| server/ql/python/tools/test/codeql-pack.lock.yml | Updates resolved Python test-pack dependencies for the new CLI/library set. |
| server/ql/python/tools/src/codeql-pack.yml | Bumps Python tools src pack version and codeql/python-all dependency. |
| server/ql/python/tools/src/codeql-pack.lock.yml | Updates resolved Python src-pack dependencies for the new CLI/library set. |
| server/ql/javascript/tools/test/codeql-pack.yml | Bumps JavaScript tools test pack version to 2.26.0. |
| server/ql/javascript/tools/test/codeql-pack.lock.yml | Updates resolved JavaScript test-pack dependencies for the new CLI/library set. |
| server/ql/javascript/tools/src/codeql-pack.yml | Bumps JavaScript tools src pack version and codeql/javascript-all dependency. |
| server/ql/javascript/tools/src/codeql-pack.lock.yml | Updates resolved JavaScript src-pack dependencies for the new CLI/library set. |
| server/ql/javascript/examples/test/codeql-pack.lock.yml | Updates resolved JavaScript examples test-pack dependencies for the new CLI/library set. |
| server/ql/javascript/examples/src/codeql-pack.lock.yml | Updates resolved JavaScript examples src-pack dependencies for the new CLI/library set. |
| server/ql/java/tools/test/codeql-pack.yml | Bumps Java tools test pack version to 2.26.0. |
| server/ql/java/tools/test/codeql-pack.lock.yml | Updates resolved Java test-pack dependencies for the new CLI/library set. |
| server/ql/java/tools/src/codeql-pack.yml | Bumps Java tools src pack version and codeql/java-all dependency. |
| server/ql/java/tools/src/codeql-pack.lock.yml | Updates resolved Java src-pack dependencies for the new CLI/library set. |
| server/ql/go/tools/test/codeql-pack.yml | Bumps Go tools test pack version to 2.26.0. |
| server/ql/go/tools/test/codeql-pack.lock.yml | Updates resolved Go test-pack dependencies for the new CLI/library set. |
| server/ql/go/tools/src/codeql-pack.yml | Bumps Go tools src pack version and codeql/go-all dependency. |
| server/ql/go/tools/src/codeql-pack.lock.yml | Updates resolved Go src-pack dependencies for the new CLI/library set. |
| server/ql/csharp/tools/test/codeql-pack.yml | Bumps C# tools test pack version to 2.26.0. |
| server/ql/csharp/tools/test/codeql-pack.lock.yml | Updates resolved C# test-pack dependencies for the new CLI/library set. |
| server/ql/csharp/tools/src/codeql-pack.yml | Bumps C# tools src pack version and codeql/csharp-all dependency. |
| server/ql/csharp/tools/src/codeql-pack.lock.yml | Updates resolved C# src-pack dependencies for the new CLI/library set. |
| server/ql/cpp/tools/test/codeql-pack.yml | Bumps C++ tools test pack version to 2.26.0. |
| server/ql/cpp/tools/test/codeql-pack.lock.yml | Updates resolved C++ test-pack dependencies for the new CLI/library set. |
| server/ql/cpp/tools/src/codeql-pack.yml | Bumps C++ tools src pack version and codeql/cpp-all dependency. |
| server/ql/cpp/tools/src/codeql-pack.lock.yml | Updates resolved C++ src-pack dependencies for the new CLI/library set. |
| server/ql/actions/tools/test/codeql-pack.yml | Bumps Actions tools test pack version to 2.26.0. |
| server/ql/actions/tools/test/codeql-pack.lock.yml | Updates resolved Actions test-pack dependencies for the new CLI/library set. |
| server/ql/actions/tools/src/codeql-pack.yml | Bumps Actions tools src pack version and codeql/actions-all dependency. |
| server/ql/actions/tools/src/codeql-pack.lock.yml | Updates resolved Actions src-pack dependencies for the new CLI/library set. |
| server/package.json | Updates server package version to 2.26.0. |
| server/dist/codeql-development-mcp-server.js | Updates the built server artifact to report version 2.26.0. |
| package.json | Updates repo root package version to 2.26.0. |
| package-lock.json | Updates lockfile metadata versions to 2.26.0. |
| extensions/vscode/package.json | Updates VS Code extension version to 2.26.0. |
| client/integration-tests/primitives/tools/codeql_bqrs_interpret/sarif_format/after/results.sarif | Updates expected SARIF output to reflect the upgraded CodeQL CLI version. |
| CHANGELOG.md | Adds the v2.26.0 release entry, highlights, dependency notes, and link definitions. |
| .codeql-version | Pins the bundled CodeQL CLI version to v2.26.0. |
Review details
- Files reviewed: 46/49 changed files
- Comments generated: 1
- Review effort level: Low
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request upgrades the project to use CodeQL CLI v2.26.0 and updates all related dependencies, version files, and documentation. It also introduces improvements to the upgrade workflow to better handle unpublished upstream dependencies, and refines prompt and resource documentation based on real-world usage. Several third-party dependencies are also updated.
Major version and dependency upgrades:
.codeql-version, all relevantpackage.jsonfiles, per-languagecodeql-pack.ymlmanifests, andcodeql-pack.lock.ymllock files. This includes re-resolving all bundled CodeQL tool query packs and ensuring all language query unit tests pass under the new CLI. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]Workflow and documentation improvements:
upgrade-packs.shto tolerate unpublished transitive dependencies, allowing upgrades for other languages to proceed even if some packs cannot be updated (e.g., Ruby and Rust waiting oncodeql/namebinding).Additional dependency updates:
actions/checkout,hono,github.com/mark3labs/mcp-go, and various dev dependencies such asesbuild,vite,form-data, andundici. Also pinned additional GitHub Actions to commit SHAs and added a Dependabot cooldown window.These changes ensure the project is up-to-date with the latest CodeQL features and ecosystem improvements, while also making the upgrade process more robust and improving the developer experience.