Post-release preparation for codeql-cli-2.23.6 #20857
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
C#
JS
C++
documentation
Java
Python
Go
Ruby
Rust
Changedocs 2.23.5 (cherry picked from commit f27271d)
Changedocs 2.23.5
redsun82
approved these changes
Nov 18, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR merges back changes from the release of codeql-cli-2.23.6 and bumps version strings in preparation for the next release (2.23.7). The changes include version increments, release note finalization, and changelog updates across multiple language packs.
- Version bumps for all query and library packs with -dev suffix for next release
- Release notes moved from unreleased to released directories
- CHANGELOG.md files updated with release information
- New release documentation added for codeql-cli-2.23.5
Reviewed Changes
Copilot reviewed 175 out of 176 changed files in this pull request and generated 23 comments.
Show a summary per file
| File | Description |
|---|---|
| swift/ql/src/qlpack.yml | Version bump from 1.2.9-dev to 1.2.10-dev |
| swift/ql/lib/qlpack.yml | Version bump from 6.0.1-dev to 6.1.1-dev |
| swift/ql/lib/change-notes/released/6.1.0.md | Formatted release notes for Swift 6.2.1 support |
| rust/ql/src/qlpack.yml | Version bump from 0.1.20-dev to 0.1.21-dev |
| rust/ql/lib/qlpack.yml | Version bump from 0.1.20-dev to 0.1.21-dev |
| ruby/ql/src/qlpack.yml | Version bump from 1.4.9-dev to 1.5.1-dev |
| python/ql/src/qlpack.yml | Version bump from 1.6.9-dev to 1.7.1-dev |
| python/ql/lib/qlpack.yml | Major version bump from 4.1.1-dev to 5.0.1-dev for breaking changes |
| javascript/ql/src/qlpack.yml | Version bump from 2.1.4-dev to 2.2.1-dev |
| java/ql/src/qlpack.yml | Version bump from 1.9.1-dev to 1.10.1-dev |
| go/ql/src/qlpack.yml | Version bump from 1.4.9-dev to 1.4.10-dev |
| csharp/ql/src/qlpack.yml | Version bump from 1.4.4-dev to 1.5.1-dev |
| csharp/ql/lib/qlpack.yml | Version bump from 5.3.1-dev to 5.4.1-dev |
| csharp/ql/src/CHANGELOG.md | Updated with whitespace cleanup on several historical entries |
| csharp/ql/lib/CHANGELOG.md | Updated with whitespace cleanup on several historical entries |
| cpp/ql/src/qlpack.yml | Version bump from 1.5.4-dev to 1.5.5-dev |
| cpp/ql/lib/qlpack.yml | Version bump from 6.0.2-dev to 6.1.1-dev |
| shared/* | Version bumps for all shared library packs |
| docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.5.rst | New release documentation for codeql-cli-2.23.5 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ### Query Metadata Changes | ||
|
|
||
| * Reduced the `security-severity` score of the `rb/overly-large-range` query from 5.0 to 4.0 to better reflect its impact. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 5.
| ### Minor Analysis Improvements | ||
|
|
||
| * C#: The method `string.ReplaceLineEndings(string)` is now considered a sanitizer for the `cs/log-forging` query. | ||
| * C#: The method `string.ReplaceLineEndings(string)` is now considered a sanitizer for the `cs/log-forging` query. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 183.
| ### Minor Analysis Improvements | ||
|
|
||
| * Fixed a Log forging false positive when using `String.Replace` to sanitize the input. | ||
| * Fixed a Log forging false positive when using `String.Replace` to sanitize the input. |
There was a problem hiding this comment.
Corrected spacing: there are extra trailing spaces at the end of line 297.
| - `[SupplyParameterFromForm]` | ||
| - `[SupplyParameterFromQuery]` | ||
| * Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. | ||
| * Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 160.
Suggested change
| * Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. | |
| * Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. |
| - `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery` | ||
| - `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery` | ||
| * Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript. | ||
| * Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 180.
Suggested change
| * Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript. | |
| * Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript. |
| non-returning in the IR and dataflow. | ||
| * Treat functions that reach the end of the function as returning in the IR. | ||
| They used to be treated as unreachable but it is allowed in C. | ||
| They used to be treated as unreachable but it is allowed in C. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 503.
Suggested change
| They used to be treated as unreachable but it is allowed in C. | |
| They used to be treated as unreachable but it is allowed in C. |
| ### New Features | ||
|
|
||
| * The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. | ||
| * The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 552.
Suggested change
| * The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. | |
| * The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. |
| ### Deprecated APIs | ||
|
|
||
| * Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. | ||
| * Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 746.
Suggested change
| * Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. | |
| * Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. |
| ### Deprecated APIs | ||
|
|
||
| * Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. | ||
| * Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 763.
Suggested change
| * Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. | |
| * Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. |
| ### Deprecated APIs | ||
|
|
||
| * Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. | ||
| * Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. |
There was a problem hiding this comment.
Corrected spacing: there is a trailing space at the end of line 862.
Suggested change
| * Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. | |
| * Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR merges back all of the changes from the release of codeql-cli-2.23.6. And it bumps the version version strings in semmle-code in preparation for the next release of 2.23.7.