Skip to content

Unpin CodeQL pack dependencies by removing committed lock files#45

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/update-packs-to-latest-versions
Draft

Unpin CodeQL pack dependencies by removing committed lock files#45
Copilot wants to merge 2 commits intomainfrom
copilot/update-packs-to-latest-versions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 21, 2026
edited
Loading

📝 Query Update

  • Query File: N/A — repository-wide pack configuration change
  • Language: all (actions, cpp, csharp, go, java, javascript, python, ruby)
  • Update Type: dependency unpinning

🎯 Changes

What Changed

  • Deleted all 32 committed codeql-pack.lock.yml files under languages/<lang>/{custom,tools}/{src,test}/.
  • Added codeql-pack.lock.yml to .gitignore so locally generated lock files are not re-committed.
  • No changes to qlpack.yml files — they already declare codeql/*-all (and *-queries) as "*".

Why This Change

Committed lock files pinned packs to old versions (e.g. codeql/java-all 7.7.0), blocking template consumers from using features tied to newer libraries — for example, the barrierModel extensible predicate, which requires codeql/java-all shipped with CodeQL 2.25.2+.

Impact

Consumers of this template generate their own codeql-pack.lock.yml on codeql pack install, resolving against whichever CodeQL CLI they have installed. The template no longer dictates a CodeQL version floor/ceiling.

🔍 Before vs. After

Previous Behavior

codeql-pack.lock.yml checked into the repo pinned every transitive dependency, e.g.:

dependencies:
  codeql/java-all:
    version: 7.7.0

New Behavior

Only qlpack.yml is tracked, with floating versions:

dependencies:
  codeql/java-all: "*"

Lock files are produced locally per consumer and ignored by git.

🧪 Testing

  • New/updated test cases added
  • All tests pass
  • Regression tests validated
  • No unintended side effects

📊 Impact Analysis

  • Compatibility: backward compatible for consumers on a recent CodeQL CLI; consumers on very old CLIs may resolve different (newer) library versions than before
  • Performance: neutral
  • Accuracy: unchanged at the query level; unblocks adoption of newer library features (e.g. sanitizer/validator MaD, barrierModel)

📋 Checklist

  • Query compiles without errors
  • Documentation updated
  • Tests updated with new expectations
  • Metadata updated if needed

🔗 References

Copilot AI linked an issue Apr 21, 2026 that may be closed by this pull request
Update Packs #43
Open
Copilot AI changed the title [WIP] Remove specific CodeQL versions and update packs Unpin CodeQL pack dependencies by removing committed lock files Apr 21, 2026
Copilot AI requested a review from data-douser April 21, 2026 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@data-douser data-douser Awaiting requested review from data-douser data-douser is a code owner

@enyil enyil Awaiting requested review from enyil enyil will be requested when the pull request is marked ready for review enyil is a code owner

Assignees

@data-douser data-douser

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update Packs

2 participants

@data-douser