Upgrade CodeQL CLI dependency to v2.25.3#269
Merged
data-douser merged 5 commits intomainfrom May 4, 2026
Merged
Conversation
Contributor
Author
Dependency ReviewThe following issues were found:
License Issuespackage-lock.json
OpenSSF Scorecard
Scanned Files
|
f8bc894 to
e0071fa
Compare
Previously, codeql pack upgrade was a no-op for packs with pinned codeql/<lang>-all dependencies because the existing pin already satisfied the constraint. This left codeql-pack.lock.yml files unchanged across CLI bumps, even though newer compatible library pack versions were available. The fix temporarily rewrites the pinned dependency to a wildcard before running codeql pack upgrade, then restores the manifest and pins it to the version resolved into the lock file. Also regenerates all pack lock files and re-pins manifests against CodeQL CLI v2.25.3, and refreshes ruby/rust/swift PrintAST/PrintCFG .expected files for benign output ordering and library behavior changes introduced by the upgraded codeql/*-all packs.
Adds a 'check-existing-branch' job that runs after detect-update and gates the create-pr job. On scheduled (cron) runs, if the target 'codeql/upgrade-to-vX.Y.Z' branch already exists on origin, the rest of the pipeline is skipped so peter-evans/create-pull-request does not force-push over reviewer commits or follow-up fixes (such as manually-applied lock-file refreshes). The check is bypassed on workflow_dispatch so a maintainer can always force a refresh by re-running the workflow manually.
CI runs query unit tests with install-language-runtimes: true, which makes rustc/cargo available to the rust extractor and causes println! and similar macros to be expanded to their stdlib internals was performed without rust installed locally, so the expected files captured the collapsed output and did not match CI. Re-learned with rustc 1.95.0 installed via rustup, matching the CI runner environment.
Copilot stopped work on behalf of
enyil due to an error
May 4, 2026 18:17
…ut (#270) Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/beb1ad8c-da44-4beb-8483-c2b6d9e1f2b7 Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: enyil <87337678+enyil@users.noreply.github.com>
Collaborator
|
Thanks @enyil |
data-douser
approved these changes
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR upgrades the CodeQL CLI version to v2.25.3.
Changes made:
.codeql-versiontov2.25.32.25.3package-lock.json