Merge pull request #3782 from github/update-v4.35.1-d6d1743b8

Merge main into releases/v4
2026-04-01 17:22:19 +00:00 · 2026-03-27 16:07:37 +00:00
parent b8bb9f28b8 c5ffd06837
commit c10b8064de
16 changed files with 79 additions and 34 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## 4.35.1 - 27 Mar 2026
+
+- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
+
 ## 4.35.0 - 27 Mar 2026

 - Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -161551,7 +161551,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -106719,7 +106719,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -103525,7 +103525,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -164658,7 +164658,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -104086,7 +104086,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -105203,7 +105203,7 @@ var core8 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
 var semver3 = __toESM(require_semver2());
-var GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.11.0";
+var GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.36.0";
 var GitVersionInfo = class {
  constructor(truncatedVersion, fullVersion) {
    this.truncatedVersion = truncatedVersion;
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -103533,7 +103533,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -103629,7 +103629,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -161498,7 +161498,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -102716,6 +102716,7 @@ var require_oids = __commonJS({
    _IN("2.5.4.15", "businessCategory");
    _IN("2.5.4.17", "postalCode");
    _IN("2.5.4.42", "givenName");
+    _IN("2.5.4.65", "pseudonym");
    _IN("1.3.6.1.4.1.311.60.2.1.2", "jurisdictionOfIncorporationStateOrProvinceName");
    _IN("1.3.6.1.4.1.311.60.2.1.3", "jurisdictionOfIncorporationCountryName");
    _IN("2.16.840.1.113730.1.1", "nsCertType");
@@ -106328,6 +106329,11 @@ var require_jsbn = __commonJS({
      this.multiplyTo(a, r);
      return r;
    }
+    function bnSquare() {
+      var r = nbi();
+      this.squareTo(r);
+      return r;
+    }
    function bnDivide(a) {
      var r = nbi();
      this.divRemTo(a, r, null);
@@ -106551,6 +106557,9 @@ var require_jsbn = __commonJS({
      return r;
    }
    function bnModInverse(m) {
+      if (this.signum() == 0) {
+        return BigInteger.ZERO;
+      }
      var ac = m.isEven();
      if (this.isEven() && ac || m.signum() == 0) return BigInteger.ZERO;
      var u = m.clone(), v = this.clone();
@@ -106595,7 +106604,7 @@ var require_jsbn = __commonJS({
      if (d.signum() < 0) return d.add(m);
      else return d;
    }
-    var lowprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509];
+    var lowprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997];
    var lplim = (1 << 26) / lowprimes[lowprimes.length - 1];
    function bnIsProbablePrime(t) {
      var i, x = this.abs();
@@ -106693,6 +106702,7 @@ var require_jsbn = __commonJS({
    BigInteger.prototype.pow = bnPow;
    BigInteger.prototype.gcd = bnGCD;
    BigInteger.prototype.isProbablePrime = bnIsProbablePrime;
+    BigInteger.prototype.square = bnSquare;
  }
 });

@@ -107888,22 +107898,26 @@ var require_rsa = __commonJS({
        }
        if (options === void 0) {
          options = {
-            _parseAllDigestBytes: true
+            _parseAllDigestBytes: true,
+            _skipPaddingChecks: false
          };
        }
        if (!("_parseAllDigestBytes" in options)) {
          options._parseAllDigestBytes = true;
        }
+        if (!("_skipPaddingChecks" in options)) {
+          options._skipPaddingChecks = false;
+        }
        if (scheme === "RSASSA-PKCS1-V1_5") {
          scheme = {
            verify: function(digest2, d2) {
-              d2 = _decodePkcs1_v1_5(d2, key, true);
+              d2 = _decodePkcs1_v1_5(d2, key, true, void 0, options);
              var obj = asn1.fromDer(d2, {
                parseAllBytes: options._parseAllDigestBytes
              });
              var capture = {};
              var errors = [];
-              if (!asn1.validate(obj, digestInfoValidator, capture, errors)) {
+              if (!asn1.validate(obj, digestInfoValidator, capture, errors) || obj.value.length !== 2) {
                var error3 = new Error(
                  "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value."
                );
@@ -107931,7 +107945,7 @@ var require_rsa = __commonJS({
        } else if (scheme === "NONE" || scheme === "NULL" || scheme === null) {
          scheme = {
            verify: function(digest2, d2) {
-              d2 = _decodePkcs1_v1_5(d2, key, true);
+              d2 = _decodePkcs1_v1_5(d2, key, true, void 0, options);
              return digest2 === d2;
            }
          };
@@ -108223,12 +108237,12 @@ var require_rsa = __commonJS({
      eb.putBytes(m);
      return eb;
    }
-    function _decodePkcs1_v1_5(em, key, pub, ml) {
+    function _decodePkcs1_v1_5(em, key, pub, ml, options) {
      var k = Math.ceil(key.n.bitLength() / 8);
      var eb = forge.util.createBuffer(em);
      var first = eb.getByte();
      var bt = eb.getByte();
-      if (first !== 0 || pub && bt !== 0 && bt !== 1 || !pub && bt != 2 || pub && bt === 0 && typeof ml === "undefined") {
+      if (first !== 0 || pub && bt !== 0 && bt !== 1 || !pub && bt !== 2 || pub && bt === 0 && typeof ml === "undefined") {
        throw new Error("Encryption block is invalid.");
      }
      var padNum = 0;
@@ -108248,6 +108262,9 @@ var require_rsa = __commonJS({
          }
          ++padNum;
        }
+        if (padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
+          throw new Error("Encryption block is invalid.");
+        }
      } else if (bt === 2) {
        padNum = 0;
        while (eb.length() > 1) {
@@ -108257,6 +108274,9 @@ var require_rsa = __commonJS({
          }
          ++padNum;
        }
+        if (padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
+          throw new Error("Encryption block is invalid.");
+        }
      }
      var zero = eb.getByte();
      if (zero !== 0 || padNum !== k - 3 - eb.length()) {
@@ -111714,6 +111734,12 @@ var require_x509 = __commonJS({
              };
            }
          }
+          if (error3 === null && bcExt === null) {
+            error3 = {
+              message: "Certificate is missing basicConstraints extension and cannot be used as a CA.",
+              error: pki2.certificateError.bad_certificate
+            };
+          }
          if (error3 === null && bcExt !== null && !bcExt.cA) {
            error3 = {
              message: "Certificate basicConstraints indicates the certificate is not a CA.",
@@ -115765,6 +115791,9 @@ var require_ed25519 = __commonJS({
      if (unpackneg(q, pk)) {
        return -1;
      }
+      if (!_isCanonicalSignatureScalar(sm, 32)) {
+        return -1;
+      }
      for (i = 0; i < n; ++i) {
        m[i] = sm[i];
      }
@@ -115790,6 +115819,18 @@ var require_ed25519 = __commonJS({
      mlen = n;
      return mlen;
    }
+    function _isCanonicalSignatureScalar(bytes, offset) {
+      var i;
+      for (i = 31; i >= 0; --i) {
+        if (bytes[offset + i] < L[i]) {
+          return true;
+        }
+        if (bytes[offset + i] > L[i]) {
+          return false;
+        }
+      }
+      return false;
+    }
    function modL(r, x) {
      var carry, i, j, k;
      for (i = 63; i >= 32; --i) {
@@ -120677,7 +120718,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -106425,7 +106425,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -161498,7 +161498,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -106453,7 +106453,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.0";
+  return "4.35.1";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.0",
+  "version": "4.35.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.0",
+      "version": "4.35.1",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -32,7 +32,7 @@
        "js-yaml": "^4.1.1",
        "jsonschema": "1.4.1",
        "long": "^5.3.2",
-        "node-forge": "^1.3.3",
+        "node-forge": "^1.4.0",
        "semver": "^7.7.4",
        "uuid": "^13.0.0"
      },
@@ -7495,9 +7495,9 @@
      }
    },
    "node_modules/node-forge": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.3.tgz",
-      "integrity": "sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==",
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.4.0.tgz",
+      "integrity": "sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==",
      "license": "(BSD-3-Clause OR GPL-2.0)",
      "engines": {
        "node": ">= 6.13.0"
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.35.0",
+  "version": "4.35.1",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -39,7 +39,7 @@
    "js-yaml": "^4.1.1",
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
-    "node-forge": "^1.3.3",
+    "node-forge": "^1.4.0",
    "semver": "^7.7.4",
    "uuid": "^13.0.0"
  },
--- a/src/git-utils.ts
+++ b/src/git-utils.ts
@@ -14,11 +14,11 @@ import {
 import { ConfigurationError, getRequiredEnvParam } from "./util";

 /**
- * Minimum Git version required for overlay analysis. The
- * `git ls-files --recurse-submodules` option, which is used by
- * `getFileOidsUnderPath`, was introduced in Git 2.11.0.
+ * Minimum Git version required for overlay analysis. Support for using the `git ls-files
+ * --recurse-submodules` option with `--stage` was added in Git 2.36.0. For more information, see
+ * `getFileOidsUnderPath`.
 */
-export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.11.0";
+export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.36.0";

 /**
 * Git version information
@@ -261,8 +261,8 @@ export const getFileOidsUnderPath = async function (
  // Without the --full-name flag, the path is relative to the current working
  // directory of the git command, which is basePath.
  //
-  // We use --stage rather than --format here because --stage has been available since Git 2.11.0,
-  // while --format was only introduced in Git 2.38.0, which would limit overlay rollout.
+  // We use --stage rather than --format here because --stage has been available since Git 2.36.0,
+  // while --format was only introduced in Git 2.38.0.
  const stdout = await runGitCommand(
    basePath,
    ["ls-files", "--recurse-submodules", "--stage"],