Merge pull request #2997 from github/update-v3.29.5-80a09d7b0

Merge main into releases/v3

.github/workflows/__go-tracing-autobuilder.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
           - os: ubuntu-latest
             version: stable-v2.17.6
           - os: macos-latest
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.20.7
           - os: macos-latest
             version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
           - os: ubuntu-latest
             version: stable-v2.17.6
           - os: macos-latest
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.20.7
           - os: macos-latest
             version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
           - os: ubuntu-latest
             version: stable-v2.17.6
           - os: macos-latest
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.20.7
           - os: macos-latest
             version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__multi-language-autodetect.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.16.6
           - os: macos-latest
             version: stable-v2.17.6
           - os: ubuntu-latest
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.20.7
           - os: ubuntu-latest
             version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.21.4
           - os: macos-latest
             version: default
           - os: ubuntu-latest

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 3.29.5 - 29 Jul 2025
+
+- Update default CodeQL bundle version to 2.22.2. [#2986](https://github.com/github/codeql-action/pull/2986)
+
 ## 3.29.4 - 23 Jul 2025
 
 No user facing changes.
@@ -24,6 +28,10 @@ No user facing changes.
 - Update default CodeQL bundle version to 2.22.0. [#2925](https://github.com/github/codeql-action/pull/2925)
 - Bump minimum CodeQL bundle version to 2.16.6. [#2912](https://github.com/github/codeql-action/pull/2912)
 
+## 3.28.21 - 28 July 2025
+
+No user facing changes.
+
 ## 3.28.20 - 21 July 2025
 
 - Remove support for combining SARIF files from a single upload for GHES 3.18, see [the changelog post](https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload/). [#2959](https://github.com/github/codeql-action/pull/2959)

README.md

@@ -70,11 +70,11 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
+| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
 | `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.13 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.18", "minimumVersion": "3.13" }
+{ "maximumVersion": "3.18", "minimumVersion": "3.14" }

lib/codeql.js

@@ -78,15 +78,15 @@ const CODEQL_MINIMUM_VERSION = "2.16.6";
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
  */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.16.6";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 /**
  * This is the version of GHES that was most recently deprecated.
  */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.12";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 /**
  * This is the deprecation date for the version of GHES that was most recently deprecated.
  */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-04-03";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 /*

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.22.1",
-    "cliVersion": "2.22.1",
-    "priorBundleVersion": "codeql-bundle-v2.22.0",
-    "priorCliVersion": "2.22.0"
+    "bundleVersion": "codeql-bundle-v2.22.2",
+    "cliVersion": "2.22.2",
+    "priorBundleVersion": "codeql-bundle-v2.22.1",
+    "priorCliVersion": "2.22.1"
 }

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.29.4",
+  "version": "3.29.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
@@ -823,9 +823,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "9.31.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.31.0.tgz",
-      "integrity": "sha512-LOm5OVt7D4qiKCqoiPbA7LWmI+tbw1VbTUowBcUMgQSuM6poJufkFkYDcQpo5KfgD39TnNySV26QjOh7VFpSyw==",
+      "version": "9.32.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.32.0.tgz",
+      "integrity": "sha512-BBpRFZK3eX6uMLKz8WxFOBIFFcGFJ/g8XuwjTHCqHROSIsopI+ddn/d5Cfh36+7+e5edVS8dbSHnBNhrLEX0zg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6511,9 +6511,9 @@
       "license": "MIT"
     },
     "node_modules/nock": {
-      "version": "14.0.6",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.6.tgz",
-      "integrity": "sha512-67n1OfusL/ON57fwFJ6ZurSJa/msYVQmqlz9rCel2HJYj4Zeb8v9TcmRdEW+PV2i9Fm2358umSvzZukhw/E8DA==",
+      "version": "14.0.7",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.7.tgz",
+      "integrity": "sha512-ubwvvhSzNPqc7Nm3a/iYolwqb7lo1zfllDKO1ODsYu3KnarmQEya5yV70ZUwhVxYIl1ePuX3W+lHw2un+pUfpQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {

node_modules/@eslint/js/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eslint/js",
-  "version": "9.31.0",
+  "version": "9.32.0",
   "description": "ESLint JavaScript language implementation",
   "funding": "https://eslint.org/donate",
   "main": "./src/index.js",

node_modules/nock/README.md

@@ -91,6 +91,7 @@ For instance, if a module performs HTTP requests to a CouchDB server or makes HT
   - [Requests made by ES Modules are not intercepted](#requests-made-by-es-modules-are-not-intercepted)
   - [Axios](#axios)
   - [Memory issues with Jest](#memory-issues-with-jest)
+  - [Fake timers](#fake-timers)
 - [Debugging](#debugging)
 - [Contributing](#contributing)
 - [Contributors](#contributors)
@@ -1613,6 +1614,86 @@ One of the core principles of [Jest](https://jestjs.io/) is that it runs tests i
 It does this by manipulating the modules cache of Node in a way that conflicts with how Nock monkey patches the builtin `http` and `https` modules.
 [Related issue with more details](https://github.com/nock/nock/issues/1817).
 
+### Fake timers
+
+### Jest
+
+To use `nock` in conjunction with `jest` fake timers, make sure you're using the "async" functions when advancing the
+timers, such as `jest.advanceTimersByTimeAsync()` or `jest.runAllTimersAsync()`. Otherwise, the timers will not be
+advanced correctly and you'll experience a timeout in your tests.
+
+```js
+test('should mock a request with fake timers', async () => {
+  jest.useFakeTimers()
+
+  const scope = nock('https://example.com')
+    .get('/path')
+    .delay(1000)
+    .reply(200, 'response')
+
+  // Simulate a request
+  const request = got('https://example.com/path')
+
+  // Fast-forward time
+  await jest.advanceTimersByTimeAsync(1000)
+
+  // Or advance all timers
+  await jest.runAllTimersAsync()
+
+  // Wait for the request to complete
+  const response = await request
+
+  expect(response.body).toBe('response')
+  jest.useRealTimers() // Restore real timers after the test
+  scope.done()
+})
+```
+
+In case you don't need testing delays, you can instruct `jest` to advance the timers automatically using the
+`advanceTimers` option
+
+```js
+jest.useFakeTimers({ advanceTimers: true })
+```
+
+### Sinon
+
+In a similar way to `jest`, if you are using `sinon` fake timers, you should use the `clock.tickAsync()` or
+`clock.runAllAsync()` methods to advance the timers correctly.
+
+```js
+it('should us sinon timers', async () => {
+  clock = sinon.useFakeTimers()
+  const scope = nock('https://example.com')
+    .get('/path')
+    .delay(1000)
+    .reply(200, 'response')
+
+  // Simulate a request
+  const request = got('https://example.com/path')
+
+  // Fast-forward time
+  await clock.tickAsync(1000)
+
+  // Or run all timers
+  await clock.runAllAsync()
+
+  // Wait for the request to complete
+  const response = await request
+
+  expect(response.body).toBe('response')
+  clock.restore()
+  scope.done()
+})
+```
+
+Same applies for `sinon`, if you don't need testing delays, you can instruct `sinon` to advance the timers automatically
+using the `shouldAdvanceTime` option
+
+```js
+clock = sinon.useFakeTimers({ shouldAdvanceTime: true })
+```
+
 ## Debugging
 
 Nock uses node internals [`debuglog`](https://nodejs.org/api/util.html#utildebuglogsection-callbackg), so just run with environmental variable `NODE_DEBUG` set to `nock:*`.

node_modules/nock/lib/common.js

@@ -1,7 +1,6 @@
 'use strict'
 
 const { common: debug } = require('./debug')
-const timers = require('timers')
 const url = require('url')
 const util = require('util')
 const http = require('http')
@@ -521,24 +520,36 @@ function deepEqual(expected, actual) {
 const timeouts = new Set()
 const immediates = new Set()
 
-const wrapTimer =
-  (timer, ids) =>
-  (callback, ...timerArgs) => {
-    const cb = (...callbackArgs) => {
-      try {
-        // eslint-disable-next-line n/no-callback-literal
-        callback(...callbackArgs)
-      } finally {
-        ids.delete(id)
-      }
+const _setImmediate = (callback, ...timerArgs) => {
+  const cb = (...callbackArgs) => {
+    try {
+      // eslint-disable-next-line n/no-callback-literal
+      callback(...callbackArgs)
+    } finally {
+      immediates.delete(id)
     }
-    const id = timer(cb, ...timerArgs)
-    ids.add(id)
-    return id
   }
 
-const setTimeout = wrapTimer(timers.setTimeout, timeouts)
-const setImmediate = wrapTimer(timers.setImmediate, immediates)
+  const id = setImmediate(cb, 0, ...timerArgs)
+
+  immediates.add(id)
+  return id
+}
+
+const _setTimeout = (callback, ...timerArgs) => {
+  const cb = (...callbackArgs) => {
+    try {
+      // eslint-disable-next-line n/no-callback-literal
+      callback(...callbackArgs)
+    } finally {
+      timeouts.delete(id)
+    }
+  }
+
+  const id = setTimeout(cb, ...timerArgs)
+  timeouts.add(id)
+  return id
+}
 
 function clearTimer(clear, ids) {
   ids.forEach(clear)
@@ -714,8 +725,8 @@ module.exports = {
   percentDecode,
   percentEncode,
   removeAllTimers,
-  setImmediate,
-  setTimeout,
+  setImmediate: _setImmediate,
+  setTimeout: _setTimeout,
   stringifyRequest,
   convertFetchRequestToClientRequest,
 }

node_modules/nock/package.json

@@ -7,7 +7,7 @@
     "testing",
     "isolation"
   ],
-  "version": "14.0.6",
+  "version": "14.0.7",
   "author": "Pedro Teixeira <pedro.teixeira@gmail.com>",
   "repository": {
     "type": "git",

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.29.4",
+  "version": "3.29.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.29.4",
+      "version": "3.29.5",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^2.3.1",
@@ -47,7 +47,7 @@
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.31.0",
+        "@eslint/js": "^9.32.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
@@ -66,7 +66,7 @@
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
         "eslint-plugin-no-async-foreach": "^0.1.1",
-        "nock": "^14.0.6",
+        "nock": "^14.0.7",
         "removeNPMAbsolutePaths": "3.0.1",
         "sinon": "^21.0.0",
         "typescript": "^5.8.3"
@@ -891,9 +891,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "9.31.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.31.0.tgz",
-      "integrity": "sha512-LOm5OVt7D4qiKCqoiPbA7LWmI+tbw1VbTUowBcUMgQSuM6poJufkFkYDcQpo5KfgD39TnNySV26QjOh7VFpSyw==",
+      "version": "9.32.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.32.0.tgz",
+      "integrity": "sha512-BBpRFZK3eX6uMLKz8WxFOBIFFcGFJ/g8XuwjTHCqHROSIsopI+ddn/d5Cfh36+7+e5edVS8dbSHnBNhrLEX0zg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6579,9 +6579,9 @@
       "license": "MIT"
     },
     "node_modules/nock": {
-      "version": "14.0.6",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.6.tgz",
-      "integrity": "sha512-67n1OfusL/ON57fwFJ6ZurSJa/msYVQmqlz9rCel2HJYj4Zeb8v9TcmRdEW+PV2i9Fm2358umSvzZukhw/E8DA==",
+      "version": "14.0.7",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-14.0.7.tgz",
+      "integrity": "sha512-ubwvvhSzNPqc7Nm3a/iYolwqb7lo1zfllDKO1ODsYu3KnarmQEya5yV70ZUwhVxYIl1ePuX3W+lHw2un+pUfpQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.29.4",
+  "version": "3.29.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -60,7 +60,7 @@
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.3.1",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.31.0",
+    "@eslint/js": "^9.32.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@types/archiver": "^6.0.3",
     "@types/console-log-level": "^1.4.5",
@@ -79,7 +79,7 @@
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
     "eslint-plugin-no-async-foreach": "^0.1.1",
-    "nock": "^14.0.6",
+    "nock": "^14.0.7",
     "removeNPMAbsolutePaths": "3.0.1",
     "sinon": "^21.0.0",
     "typescript": "^5.8.3"

pr-checks/sync.py

@@ -9,8 +9,6 @@ import os
 # The default set of CodeQL Bundle versions to use for the PR checks.
 defaultTestVersions = [
     # The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-    "stable-v2.16.6",
-    # The last CodeQL release in the 2.17 series.
     "stable-v2.17.6",
     # The last CodeQL release in the 2.18 series.
     "stable-v2.18.4",
@@ -18,6 +16,8 @@ defaultTestVersions = [
     "stable-v2.19.4",
     # The last CodeQL release in the 2.20 series.
     "stable-v2.20.7",
+    # The last CodeQL release in the 2.21 series.
+    "stable-v2.21.4",
     # The default version of CodeQL for Dotcom, as determined by feature flags.
     "default",
     # The version of CodeQL shipped with the Action in `defaults.json`. During the release process

src/api-compatibility.json

@@ -1 +1 @@
-{"maximumVersion": "3.18", "minimumVersion": "3.13"}
+{"maximumVersion": "3.18", "minimumVersion": "3.14"}

src/codeql.ts

@@ -290,17 +290,17 @@ const CODEQL_MINIMUM_VERSION = "2.16.6";
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
  */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.16.6";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 
 /**
  * This is the version of GHES that was most recently deprecated.
  */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.12";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 
 /**
  * This is the deprecation date for the version of GHES that was most recently deprecated.
  */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-04-03";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
 
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.22.1",
-  "cliVersion": "2.22.1",
-  "priorBundleVersion": "codeql-bundle-v2.22.0",
-  "priorCliVersion": "2.22.0"
+  "bundleVersion": "codeql-bundle-v2.22.2",
+  "cliVersion": "2.22.2",
+  "priorBundleVersion": "codeql-bundle-v2.22.1",
+  "priorCliVersion": "2.22.1"
 }