Skip to content

Post-release preparation for codeql-cli-2.26.0#22110

Merged
mbg merged 11 commits into
mainfrom
post-release-prep/codeql-cli-2.26.0
Jul 2, 2026
Merged

Post-release preparation for codeql-cli-2.26.0#22110
mbg merged 11 commits into
mainfrom
post-release-prep/codeql-cli-2.26.0

Conversation

@codeql-ci

Copy link
Copy Markdown
Collaborator

This PR merges back all of the changes from the release of codeql-cli-2.26.0. And it bumps the version version strings in semmle-code in preparation for the next release of 2.26.1.

tausbn and others added 11 commits June 30, 2026 14:41
The `instanceFieldStep` disjunct of `TypeTrackingInput::levelStepCall`
that was added in 7.2.0 uses `classInstanceTracker(cls)` -- which is
itself a type-tracker -- inside `levelStepCall`. That creates a
structural mutual recursion between the main type-tracker fixpoint and
`classInstanceTracker`, causing the type-tracker delta to blow up to
~100M tuples per iteration on some OOP-heavy Python codebases.
Verified on the python/mypy database: SSRF query wall time goes from
~12s before the offending commit to >40 minutes after it.

This hotfix temporarily drops the `instanceFieldStep` disjunct and
keeps only `inheritedFieldStep`, which does not pull on the call
graph and is well-behaved (verified at ~12s on mypy). The
`instanceFieldStep` helper predicate itself is kept in place, and
the `levelStepCall` body has a commented-out call to it so the
change is trivial to re-enable once the recursion issue is properly
addressed.
…stance-field-step

Python: hotfix - disable instanceFieldStep to avoid type-tracker blowup
Revert "Release preparation for version 2.26.0"
Release preparation for version 2.26.0
@mbg mbg marked this pull request as ready for review July 2, 2026 14:31
@mbg mbg requested review from a team as code owners July 2, 2026 14:31
Copilot AI review requested due to automatic review settings July 2, 2026 14:31
@mbg mbg requested review from a team as code owners July 2, 2026 14:31
@mbg mbg requested review from a team as code owners July 2, 2026 14:31
@mbg mbg added the no-change-note-required This PR does not need a change note label Jul 2, 2026
@mbg mbg merged commit f4d8358 into main Jul 2, 2026
134 of 135 checks passed
@mbg mbg deleted the post-release-prep/codeql-cli-2.26.0 branch July 2, 2026 14:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Merges back changes from the codeql-cli-2.26.0 release and bumps CodeQL pack versions to *-dev in preparation for 2.26.1, alongside a small set of Python analysis/test updates that accompany the release merge-back.

Changes:

  • Bump qlpack.yml versions across multiple language and shared packs to the next *-dev versions.
  • Update Python dataflow/type-tracking logic (and related flow-summary content encodings) with corresponding test expectation adjustments.
  • Minor Python changelog whitespace cleanup.
Show a summary per file
File Description
swift/ql/src/qlpack.yml Bump Swift queries pack version to next -dev.
swift/ql/lib/qlpack.yml Bump Swift library pack version to next -dev.
shared/yaml/qlpack.yml Bump shared YAML pack version to next -dev.
shared/xml/qlpack.yml Bump shared XML pack version to next -dev.
shared/util/qlpack.yml Bump shared util pack version to next -dev.
shared/typos/qlpack.yml Bump shared typos pack version to next -dev.
shared/typetracking/qlpack.yml Bump shared typetracking pack version to next -dev.
shared/typeinference/qlpack.yml Bump shared typeinference pack version to next -dev.
shared/typeflow/qlpack.yml Bump shared typeflow pack version to next -dev.
shared/tutorial/qlpack.yml Bump shared tutorial pack version to next -dev.
shared/threat-models/qlpack.yml Bump shared threat-models pack version to next -dev.
shared/ssa/qlpack.yml Bump shared SSA pack version to next -dev.
shared/regex/qlpack.yml Bump shared regex pack version to next -dev.
shared/rangeanalysis/qlpack.yml Bump shared rangeanalysis pack version to next -dev.
shared/quantum/qlpack.yml Bump shared quantum pack version to next -dev.
shared/namebinding/qlpack.yml Bump shared namebinding pack version to next -dev.
shared/mad/qlpack.yml Bump shared MaD pack version to next -dev.
shared/dataflow/qlpack.yml Bump shared dataflow pack version to next -dev.
shared/controlflow/qlpack.yml Bump shared controlflow pack version to next -dev.
shared/concepts/qlpack.yml Bump shared concepts pack version to next -dev.
rust/ql/src/qlpack.yml Bump Rust queries pack version to next -dev.
rust/ql/lib/qlpack.yml Bump Rust library pack version to next -dev.
ruby/ql/src/qlpack.yml Bump Ruby queries pack version to next -dev.
ruby/ql/lib/qlpack.yml Bump Ruby library pack version to next -dev.
python/ql/src/qlpack.yml Bump Python queries pack version to next -dev.
python/ql/lib/qlpack.yml Bump Python library pack version to next -dev.
python/ql/lib/CHANGELOG.md Remove trailing whitespace in changelog entries.
python/ql/lib/semmle/python/frameworks/Stdlib.qll Update Python stdlib flow summaries to use broader “any tuple/dict element” encodings.
python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll Temporarily disable an instance-field step in type tracking (hotfix) and document rationale.
python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll Add helper for encoding “With” access paths in flow summaries.
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll Wire expectsContent to flow-summary expectations.
python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected Update expected path-problem output to match current analysis behavior.
python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py Update inline expectations for a now-documented missing Source/Alert case.
python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py Update inline flow expectation for in_bulk value iteration.
python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py Update inline expectations for attribute type tracking (missing/ordering adjustments).
python/ql/test/library-tests/dataflow/coverage/test_builtins.py Update inline expectations around zip tuple element tracking.
misc/suite-helpers/qlpack.yml Bump suite-helpers pack version to next -dev.
javascript/ql/src/qlpack.yml Bump JavaScript queries pack version to next -dev.
javascript/ql/lib/qlpack.yml Bump JavaScript library pack version to next -dev.
java/ql/src/qlpack.yml Bump Java queries pack version to next -dev.
java/ql/lib/qlpack.yml Bump Java library pack version to next -dev.
go/ql/src/qlpack.yml Bump Go queries pack version to next -dev.
go/ql/lib/qlpack.yml Bump Go library pack version to next -dev.
go/ql/consistency-queries/qlpack.yml Bump Go consistency queries pack version to next -dev.
csharp/ql/src/qlpack.yml Bump C# queries pack version to next -dev.
csharp/ql/lib/qlpack.yml Bump C# library pack version to next -dev.
csharp/ql/campaigns/Solorigate/src/qlpack.yml Bump Solorigate C# queries pack version to next -dev.
csharp/ql/campaigns/Solorigate/lib/qlpack.yml Bump Solorigate C# library pack version to next -dev.
cpp/ql/src/qlpack.yml Bump C/C++ queries pack version to next -dev.
cpp/ql/lib/qlpack.yml Bump C/C++ library pack version to next -dev.
actions/ql/src/qlpack.yml Bump Actions queries pack version to next -dev.
actions/ql/lib/qlpack.yml Bump Actions library pack version to next -dev.

Review details

  • Files reviewed: 50/52 changed files
  • Comments generated: 0
  • Review effort level: Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Actions Analysis of GitHub Actions C# C++ DataFlow Library documentation Go Java JS no-change-note-required This PR does not need a change note Python Ruby Rust Pull requests that update Rust code Swift

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants