github · mbg · Feb 16, 2026 · Feb 16, 2026
@@ -1,3 +1,7 @@
+## 0.4.28
+
+No user-facing changes.
+
 ## 0.4.27
 
 ### Bug Fixes

@@ -0,0 +1,3 @@
+## 0.4.28
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.27
+lastReleaseVersion: 0.4.28
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.28-dev
+version: 0.4.28
 library: true
 warnOnImplicitThis: true
 dependencies:

@@ -1,3 +1,7 @@
+## 0.6.20
+
+No user-facing changes.
+
 ## 0.6.19
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 0.6.20
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.19
+lastReleaseVersion: 0.6.20
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.20-dev
+version: 0.6.20
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

@@ -1,3 +1,9 @@
+## 7.1.1
+
+### Minor Analysis Improvements
+
+* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++.
+
 ## 7.1.0
 
 ### New Features

@@ -0,0 +1,5 @@
+## 7.1.1
+
+### Minor Analysis Improvements
+
+* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.0
+lastReleaseVersion: 7.1.1
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 7.1.1-dev
+version: 7.1.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

@@ -1,3 +1,7 @@
+## 1.5.11
+
+No user-facing changes.
+
 ## 1.5.10
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.5.11
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.10
+lastReleaseVersion: 1.5.11
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.11-dev
+version: 1.5.11
 groups:
   - cpp
   - queries

@@ -1,3 +1,7 @@
+## 1.7.59
+
+No user-facing changes.
+
 ## 1.7.58
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.7.59
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.58
+lastReleaseVersion: 1.7.59
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.59-dev
+version: 1.7.59
 groups:
   - csharp
   - solorigate

@@ -1,3 +1,7 @@
+## 1.7.59
+
+No user-facing changes.
+
 ## 1.7.58
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.7.59
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.58
+lastReleaseVersion: 1.7.59
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.59-dev
+version: 1.7.59
 groups:
   - csharp
   - solorigate

@@ -1,3 +1,10 @@
+## 5.4.7
+
+### Minor Analysis Improvements
+
+* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs.
+* C# 14: Added support for `extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators.
+
 ## 5.4.6
 
 ### Minor Analysis Improvements

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 5.4.7
+
+### Minor Analysis Improvements
+
+* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs.
 * C# 14: Added support for `extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.6
+lastReleaseVersion: 5.4.7
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.7-dev
+version: 5.4.7
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

@@ -1,3 +1,9 @@
+## 1.6.2
+
+### Bug Fixes
+
+* The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class.
+
 ## 1.6.1
 
 No user-facing changes.

@@ -1,4 +1,5 @@
----
-category: fix
----
+## 1.6.2
+
+### Bug Fixes
+
 * The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.1
+lastReleaseVersion: 1.6.2
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.2-dev
+version: 1.6.2
 groups:
   - csharp
   - queries

@@ -1,3 +1,7 @@
+## 1.0.42
+
+No user-facing changes.
+
 ## 1.0.41
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.0.42
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.41
+lastReleaseVersion: 1.0.42
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.42-dev
+version: 1.0.42
 groups:
   - go
   - queries

@@ -1,3 +1,13 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPredecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument.
+
+### Major Analysis Improvements
+
+* Go 1.26 is now supported.
+
 ## 6.0.1
 
 ### Minor Analysis Improvements

@@ -1,4 +1,9 @@
----
-category: breaking
----
+## 7.0.0
+
+### Breaking Changes
+
 * The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPredecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument.
+
+### Major Analysis Improvements
+
+* Go 1.26 is now supported.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.1
+lastReleaseVersion: 7.0.0
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 6.0.2-dev
+version: 7.0.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go

@@ -1,3 +1,7 @@
+## 1.5.6
+
+No user-facing changes.
+
 ## 1.5.5
 
 No user-facing changes.

@@ -0,0 +1,3 @@
+## 1.5.6
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.5
+lastReleaseVersion: 1.5.6
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.5.6-dev
+version: 1.5.6
 groups:
   - go
   - queries

@@ -1,3 +1,24 @@
+## 8.1.0
+
+### Deprecated APIs
+
+* The `UnreachableBlocks.qll` library has been deprecated.
+* Renamed the following predicates to increase uniformity across languages. The `getBody` predicate already existed on `LoopStmt`, but is now properly inherited.
+  - `UnaryExpr.getExpr` to `getOperand`.
+  - `ConditionalExpr.getTrueExpr` to `getThen`.
+  - `ConditionalExpr.getFalseExpr` to `getElse`.
+  - `ReturnStmt.getResult` to `getExpr`.
+  - `WhileStmt.getStmt` to `getBody`.
+  - `DoStmt.getStmt` to `getBody`.
+  - `ForStmt.getStmt` to `getBody`.
+  - `EnhancedForStmt.getStmt` to `getBody`.
+
+### Minor Analysis Improvements
+
+* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for `java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with `@javax.validation.constraints.Pattern`.
+* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries.
+* Kotlin versions up to 2.3.10 are now supported.
+
 ## 8.0.0
 
 ### Breaking Changes
@@ -6,7 +27,7 @@
 
 ### New Features
 
-* Kotlin versions up to 2.3.0*x* are now supported.
+* Kotlin versions up to 2.3.0 are now supported.
 
 ### Minor Analysis Improvements
 

@@ -0,0 +1,20 @@
+## 8.1.0
+
+### Deprecated APIs
+
+* The `UnreachableBlocks.qll` library has been deprecated.
+* Renamed the following predicates to increase uniformity across languages. The `getBody` predicate already existed on `LoopStmt`, but is now properly inherited.
+  - `UnaryExpr.getExpr` to `getOperand`.
+  - `ConditionalExpr.getTrueExpr` to `getThen`.
+  - `ConditionalExpr.getFalseExpr` to `getElse`.
+  - `ReturnStmt.getResult` to `getExpr`.
+  - `WhileStmt.getStmt` to `getBody`.
+  - `DoStmt.getStmt` to `getBody`.
+  - `ForStmt.getStmt` to `getBody`.
+  - `EnhancedForStmt.getStmt` to `getBody`.
+
+### Minor Analysis Improvements
+
+* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for `java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with `@javax.validation.constraints.Pattern`.
+* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries.
+* Kotlin versions up to 2.3.10 are now supported.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.0
+lastReleaseVersion: 8.1.0