Skip to content

Prepare v2.26.0 release and upgrade bundled tool query packs#312

Merged
data-douser merged 1 commit into
mainfrom
dd/release-prep/v2.26.0
Jul 9, 2026
Merged

Prepare v2.26.0 release and upgrade bundled tool query packs#312
data-douser merged 1 commit into
mainfrom
dd/release-prep/v2.26.0

Conversation

@data-douser

Copy link
Copy Markdown
Collaborator

This pull request upgrades the project to use CodeQL CLI v2.26.0 and updates all related dependencies, version files, and documentation. It also introduces improvements to the upgrade workflow to better handle unpublished upstream dependencies, and refines prompt and resource documentation based on real-world usage. Several third-party dependencies are also updated.

Major version and dependency upgrades:

  • Upgraded CodeQL CLI to v2.26.0, updating .codeql-version, all relevant package.json files, per-language codeql-pack.yml manifests, and codeql-pack.lock.yml lock files. This includes re-resolving all bundled CodeQL tool query packs and ensuring all language query unit tests pass under the new CLI. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
  • Updated the changelog for v2.26.0, including a detailed highlights section, dependency updates, and a link to the full changelog. [1] [2] [3]

Workflow and documentation improvements:

  • Enhanced upgrade-packs.sh to tolerate unpublished transitive dependencies, allowing upgrades for other languages to proceed even if some packs cannot be updated (e.g., Ruby and Rust waiting on codeql/namebinding).
  • Refined prompt, resource, and tool descriptions based on real-world debugging sessions for improved clarity and guidance.

Additional dependency updates:

  • Bumped several third-party dependencies, including actions/checkout, hono, github.com/mark3labs/mcp-go, and various dev dependencies such as esbuild, vite, form-data, and undici. Also pinned additional GitHub Actions to commit SHAs and added a Dependabot cooldown window.

These changes ensure the project is up-to-date with the latest CodeQL features and ecosystem improvements, while also making the upgrade process more robust and improving the developer experience.

Upgrade CodeQL CLI to v2.26.0 and re-resolve all bundled tool
query packs against the 2.26.0 library set: actions-all 0.4.38,
cpp-all 11.0.0, csharp-all 7.0.0, go-all 7.2.0, java-all 9.2.0,
javascript-all 2.8.0, python-all 7.2.0, swift-all 6.7.1.

Hold Ruby and Rust at their last-compatible versions (ruby-all
5.2.2, rust-all 0.2.15): ruby-all 6.0.0 and rust-all 0.2.16
depend on codeql/namebinding, which is not published to the
public registry. Both still compile and test under 2.26.0.

Make upgrade-packs.sh tolerant of unpublished upstream
transitive deps: keep the affected pack on its last-known-good
pin, record the skip, and continue instead of aborting the run.

Bump all version-bearing files and lock files to 2.26.0 and
regenerate package-lock.json.

Cut the [v2.26.0] CHANGELOG entry (rolls up interim v2.25.5 and
v2.25.6 CLI upgrades and backfills undocumented dependency
bumps).
@data-douser data-douser self-assigned this Jul 8, 2026
Copilot AI review requested due to automatic review settings July 8, 2026 22:05
@data-douser data-douser requested review from a team and enyil as code owners July 8, 2026 22:05
@data-douser data-douser added documentation Improvements or additions to documentation enhancement New feature or request dependencies Pull requests that update a dependency file labels Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

package-lock.json

PackageVersionLicenseIssue Type
extensions/vscode2.26.0NullUnknown License
server2.26.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
npm/extensions/vscode 2.26.0 UnknownUnknown
npm/server 2.26.0 UnknownUnknown

Scanned Files

  • package-lock.json

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Prepares the repository for the v2.26.0 stable release by upgrading the pinned CodeQL CLI version and re-resolving the bundled per-language CodeQL tool query packs, alongside release documentation updates and a robustness improvement to the pack-upgrade workflow.

Changes:

  • Bumped repo/server/extension versions to 2.26.0 and updated .codeql-version to v2.26.0.
  • Re-resolved and committed updated codeql-pack.lock.yml files across the bundled language tool packs (and JavaScript examples), including updated upstream codeql/*-all pins where applicable.
  • Updated upgrade-packs.sh to continue upgrades when a pack fails due to an unpublished transitive dependency (skipping and reporting those packs instead of aborting).
Show a summary per file
File Description
server/src/codeql-development-mcp-server.ts Updates the server’s reported version constant to 2.26.0.
server/scripts/upgrade-packs.sh Adds “skip and continue” behavior for pack upgrades blocked by unpublished transitive dependencies.
server/ql/swift/tools/test/codeql-pack.yml Bumps Swift tools test pack version to 2.26.0.
server/ql/swift/tools/test/codeql-pack.lock.yml Updates resolved Swift test-pack dependencies for the new CLI/library set.
server/ql/swift/tools/src/codeql-pack.yml Bumps Swift tools src pack version and codeql/swift-all dependency.
server/ql/swift/tools/src/codeql-pack.lock.yml Updates resolved Swift src-pack dependencies for the new CLI/library set.
server/ql/rust/tools/test/codeql-pack.yml Bumps Rust tools test pack version to 2.26.0.
server/ql/rust/tools/src/codeql-pack.yml Bumps Rust tools src pack version to 2.26.0.
server/ql/ruby/tools/test/codeql-pack.yml Bumps Ruby tools test pack version to 2.26.0.
server/ql/ruby/tools/src/codeql-pack.yml Bumps Ruby tools src pack version to 2.26.0.
server/ql/python/tools/test/codeql-pack.yml Bumps Python tools test pack version to 2.26.0.
server/ql/python/tools/test/codeql-pack.lock.yml Updates resolved Python test-pack dependencies for the new CLI/library set.
server/ql/python/tools/src/codeql-pack.yml Bumps Python tools src pack version and codeql/python-all dependency.
server/ql/python/tools/src/codeql-pack.lock.yml Updates resolved Python src-pack dependencies for the new CLI/library set.
server/ql/javascript/tools/test/codeql-pack.yml Bumps JavaScript tools test pack version to 2.26.0.
server/ql/javascript/tools/test/codeql-pack.lock.yml Updates resolved JavaScript test-pack dependencies for the new CLI/library set.
server/ql/javascript/tools/src/codeql-pack.yml Bumps JavaScript tools src pack version and codeql/javascript-all dependency.
server/ql/javascript/tools/src/codeql-pack.lock.yml Updates resolved JavaScript src-pack dependencies for the new CLI/library set.
server/ql/javascript/examples/test/codeql-pack.lock.yml Updates resolved JavaScript examples test-pack dependencies for the new CLI/library set.
server/ql/javascript/examples/src/codeql-pack.lock.yml Updates resolved JavaScript examples src-pack dependencies for the new CLI/library set.
server/ql/java/tools/test/codeql-pack.yml Bumps Java tools test pack version to 2.26.0.
server/ql/java/tools/test/codeql-pack.lock.yml Updates resolved Java test-pack dependencies for the new CLI/library set.
server/ql/java/tools/src/codeql-pack.yml Bumps Java tools src pack version and codeql/java-all dependency.
server/ql/java/tools/src/codeql-pack.lock.yml Updates resolved Java src-pack dependencies for the new CLI/library set.
server/ql/go/tools/test/codeql-pack.yml Bumps Go tools test pack version to 2.26.0.
server/ql/go/tools/test/codeql-pack.lock.yml Updates resolved Go test-pack dependencies for the new CLI/library set.
server/ql/go/tools/src/codeql-pack.yml Bumps Go tools src pack version and codeql/go-all dependency.
server/ql/go/tools/src/codeql-pack.lock.yml Updates resolved Go src-pack dependencies for the new CLI/library set.
server/ql/csharp/tools/test/codeql-pack.yml Bumps C# tools test pack version to 2.26.0.
server/ql/csharp/tools/test/codeql-pack.lock.yml Updates resolved C# test-pack dependencies for the new CLI/library set.
server/ql/csharp/tools/src/codeql-pack.yml Bumps C# tools src pack version and codeql/csharp-all dependency.
server/ql/csharp/tools/src/codeql-pack.lock.yml Updates resolved C# src-pack dependencies for the new CLI/library set.
server/ql/cpp/tools/test/codeql-pack.yml Bumps C++ tools test pack version to 2.26.0.
server/ql/cpp/tools/test/codeql-pack.lock.yml Updates resolved C++ test-pack dependencies for the new CLI/library set.
server/ql/cpp/tools/src/codeql-pack.yml Bumps C++ tools src pack version and codeql/cpp-all dependency.
server/ql/cpp/tools/src/codeql-pack.lock.yml Updates resolved C++ src-pack dependencies for the new CLI/library set.
server/ql/actions/tools/test/codeql-pack.yml Bumps Actions tools test pack version to 2.26.0.
server/ql/actions/tools/test/codeql-pack.lock.yml Updates resolved Actions test-pack dependencies for the new CLI/library set.
server/ql/actions/tools/src/codeql-pack.yml Bumps Actions tools src pack version and codeql/actions-all dependency.
server/ql/actions/tools/src/codeql-pack.lock.yml Updates resolved Actions src-pack dependencies for the new CLI/library set.
server/package.json Updates server package version to 2.26.0.
server/dist/codeql-development-mcp-server.js Updates the built server artifact to report version 2.26.0.
package.json Updates repo root package version to 2.26.0.
package-lock.json Updates lockfile metadata versions to 2.26.0.
extensions/vscode/package.json Updates VS Code extension version to 2.26.0.
client/integration-tests/primitives/tools/codeql_bqrs_interpret/sarif_format/after/results.sarif Updates expected SARIF output to reflect the upgraded CodeQL CLI version.
CHANGELOG.md Adds the v2.26.0 release entry, highlights, dependency notes, and link definitions.
.codeql-version Pins the bundled CodeQL CLI version to v2.26.0.

Review details

  • Files reviewed: 46/49 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread server/scripts/upgrade-packs.sh
@data-douser data-douser merged commit 65a6c42 into main Jul 9, 2026
38 of 39 checks passed
@data-douser data-douser deleted the dd/release-prep/v2.26.0 branch July 9, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants