Update changelog for v4.36.2

Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
Update default bundle to 2.25.6
2026-06-04 12:54:26 +00:00 · 2026-06-04 11:17:27 +00:00 · 2026-06-04 10:56:27 +00:00 · 2026-06-04 10:43:06 +00:00 · 2026-06-04 10:42:59 +00:00 · 2026-06-04 10:38:05 +00:00
16 changed files with 444 additions and 239 deletions
@@ -59,7 +59,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -2,9 +2,9 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## [UNRELEASED]
+## 4.36.2 - 04 Jun 2026

-No user facing changes.
+- Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948)

 ## 4.36.1 - 02 Jun 2026

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.6",
+  "cliVersion": "2.25.6",
+  "priorBundleVersion": "codeql-bundle-v2.25.5",
+  "priorCliVersion": "2.25.5"
 }
@@ -19179,12 +19179,12 @@ var require_lib = __commonJS({
            throw new Error("Client has already been disposed.");
          }
          const parsedUrl = new URL(requestUrl);
-          let info7 = this._prepareRequest(verb, parsedUrl, headers);
+          let info8 = this._prepareRequest(verb, parsedUrl, headers);
          const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
          let numTries = 0;
          let response;
          do {
-            response = yield this.requestRaw(info7, data);
+            response = yield this.requestRaw(info8, data);
            if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
              let authenticationHandler;
              for (const handler2 of this.handlers) {
@@ -19194,7 +19194,7 @@ var require_lib = __commonJS({
                }
              }
              if (authenticationHandler) {
-                return authenticationHandler.handleAuthentication(this, info7, data);
+                return authenticationHandler.handleAuthentication(this, info8, data);
              } else {
                return response;
              }
@@ -19217,8 +19217,8 @@ var require_lib = __commonJS({
                  }
                }
              }
-              info7 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-              response = yield this.requestRaw(info7, data);
+              info8 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+              response = yield this.requestRaw(info8, data);
              redirectsRemaining--;
            }
            if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -19247,7 +19247,7 @@ var require_lib = __commonJS({
       * @param info
       * @param data
       */
-      requestRaw(info7, data) {
+      requestRaw(info8, data) {
        return __awaiter2(this, void 0, void 0, function* () {
          return new Promise((resolve13, reject) => {
            function callbackForResult(err, res) {
@@ -19259,7 +19259,7 @@ var require_lib = __commonJS({
                resolve13(res);
              }
            }
-            this.requestRawWithCallback(info7, data, callbackForResult);
+            this.requestRawWithCallback(info8, data, callbackForResult);
          });
        });
      }
@@ -19269,12 +19269,12 @@ var require_lib = __commonJS({
       * @param data
       * @param onResult
       */
-      requestRawWithCallback(info7, data, onResult) {
+      requestRawWithCallback(info8, data, onResult) {
        if (typeof data === "string") {
-          if (!info7.options.headers) {
-            info7.options.headers = {};
+          if (!info8.options.headers) {
+            info8.options.headers = {};
          }
-          info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+          info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
        }
        let callbackCalled = false;
        function handleResult(err, res) {
@@ -19283,7 +19283,7 @@ var require_lib = __commonJS({
            onResult(err, res);
          }
        }
-        const req = info7.httpModule.request(info7.options, (msg) => {
+        const req = info8.httpModule.request(info8.options, (msg) => {
          const res = new HttpClientResponse(msg);
          handleResult(void 0, res);
        });
@@ -19295,7 +19295,7 @@ var require_lib = __commonJS({
          if (socket) {
            socket.end();
          }
-          handleResult(new Error(`Request timeout: ${info7.options.path}`));
+          handleResult(new Error(`Request timeout: ${info8.options.path}`));
        });
        req.on("error", function(err) {
          handleResult(err);
@@ -19331,27 +19331,27 @@ var require_lib = __commonJS({
        return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
      }
      _prepareRequest(method, requestUrl, headers) {
-        const info7 = {};
-        info7.parsedUrl = requestUrl;
-        const usingSsl = info7.parsedUrl.protocol === "https:";
-        info7.httpModule = usingSsl ? https3 : http;
+        const info8 = {};
+        info8.parsedUrl = requestUrl;
+        const usingSsl = info8.parsedUrl.protocol === "https:";
+        info8.httpModule = usingSsl ? https3 : http;
        const defaultPort = usingSsl ? 443 : 80;
-        info7.options = {};
-        info7.options.host = info7.parsedUrl.hostname;
-        info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort;
-        info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || "");
-        info7.options.method = method;
-        info7.options.headers = this._mergeHeaders(headers);
+        info8.options = {};
+        info8.options.host = info8.parsedUrl.hostname;
+        info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort;
+        info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || "");
+        info8.options.method = method;
+        info8.options.headers = this._mergeHeaders(headers);
        if (this.userAgent != null) {
-          info7.options.headers["user-agent"] = this.userAgent;
+          info8.options.headers["user-agent"] = this.userAgent;
        }
-        info7.options.agent = this._getAgent(info7.parsedUrl);
+        info8.options.agent = this._getAgent(info8.parsedUrl);
        if (this.handlers) {
          for (const handler2 of this.handlers) {
-            handler2.prepareRequest(info7.options);
+            handler2.prepareRequest(info8.options);
          }
        }
-        return info7;
+        return info8;
      }
      _mergeHeaders(headers) {
        if (this.requestOptions && this.requestOptions.headers) {
@@ -21406,7 +21406,7 @@ var require_core = __commonJS({
    exports2.error = error3;
    exports2.warning = warning14;
    exports2.notice = notice;
-    exports2.info = info7;
+    exports2.info = info8;
    exports2.startGroup = startGroup4;
    exports2.endGroup = endGroup4;
    exports2.group = group;
@@ -21503,7 +21503,7 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
    function notice(message, properties = {}) {
      (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
    }
-    function info7(message) {
+    function info8(message) {
      process.stdout.write(message + os7.EOL);
    }
    function startGroup4(name) {
@@ -26853,6 +26853,7 @@ var require_range = __commonJS({
        return this.range;
      }
      parseRange(range) {
+        range = range.replace(BUILDSTRIPRE, "");
        const memoOpts = (this.options.includePrerelease && FLAG_INCLUDE_PRERELEASE) | (this.options.loose && FLAG_LOOSE);
        const memoKey = memoOpts + ":" + range;
        const cached = cache.get(memoKey);
@@ -26935,12 +26936,14 @@ var require_range = __commonJS({
    var SemVer = require_semver();
    var {
      safeRe: re,
+      src,
      t,
      comparatorTrimReplace,
      tildeTrimReplace,
      caretTrimReplace
    } = require_re();
    var { FLAG_INCLUDE_PRERELEASE, FLAG_LOOSE } = require_constants6();
+    var BUILDSTRIPRE = new RegExp(src[t.BUILD], "g");
    var isNullSet = (c) => c.value === "<0.0.0-0";
    var isAny = (c) => c.value === "";
    var isSatisfiable = (comparators, options) => {
@@ -27696,7 +27699,7 @@ var require_subset = __commonJS({
            if (higher === c && higher !== gt) {
              return false;
            }
-          } else if (gt.operator === ">=" && !satisfies2(gt.semver, String(c), options)) {
+          } else if (gt.operator === ">=" && !c.test(gt.semver)) {
            return false;
          }
        }
@@ -27711,7 +27714,7 @@ var require_subset = __commonJS({
            if (lower === c && lower !== lt2) {
              return false;
            }
-          } else if (lt2.operator === "<=" && !satisfies2(lt2.semver, String(c), options)) {
+          } else if (lt2.operator === "<=" && !c.test(lt2.semver)) {
            return false;
          }
        }
@@ -42402,12 +42405,12 @@ var require_operationHelpers = __commonJS({
      if (hasOriginalRequest(request3)) {
        return getOperationRequestInfo(request3[originalRequestSymbol]);
      }
-      let info7 = state_js_1.state.operationRequestMap.get(request3);
-      if (!info7) {
-        info7 = {};
-        state_js_1.state.operationRequestMap.set(request3, info7);
+      let info8 = state_js_1.state.operationRequestMap.get(request3);
+      if (!info8) {
+        info8 = {};
+        state_js_1.state.operationRequestMap.set(request3, info8);
      }
-      return info7;
+      return info8;
    }
  }
 });
@@ -76954,9 +76957,9 @@ var require_reflection_type_check = __commonJS({
    var reflection_info_1 = require_reflection_info();
    var oneof_1 = require_oneof();
    var ReflectionTypeCheck = class {
-      constructor(info7) {
+      constructor(info8) {
        var _a;
-        this.fields = (_a = info7.fields) !== null && _a !== void 0 ? _a : [];
+        this.fields = (_a = info8.fields) !== null && _a !== void 0 ? _a : [];
      }
      prepare() {
        if (this.data)
@@ -77202,8 +77205,8 @@ var require_reflection_json_reader = __commonJS({
    var assert_1 = require_assert();
    var reflection_long_convert_1 = require_reflection_long_convert();
    var ReflectionJsonReader = class {
-      constructor(info7) {
-        this.info = info7;
+      constructor(info8) {
+        this.info = info8;
      }
      prepare() {
        var _a;
@@ -77499,9 +77502,9 @@ var require_reflection_json_writer = __commonJS({
    var reflection_info_1 = require_reflection_info();
    var assert_1 = require_assert();
    var ReflectionJsonWriter = class {
-      constructor(info7) {
+      constructor(info8) {
        var _a;
-        this.fields = (_a = info7.fields) !== null && _a !== void 0 ? _a : [];
+        this.fields = (_a = info8.fields) !== null && _a !== void 0 ? _a : [];
      }
      /**
       * Converts the message to a JSON object, based on the field descriptors.
@@ -77754,8 +77757,8 @@ var require_reflection_binary_reader = __commonJS({
    var reflection_long_convert_1 = require_reflection_long_convert();
    var reflection_scalar_default_1 = require_reflection_scalar_default();
    var ReflectionBinaryReader = class {
-      constructor(info7) {
-        this.info = info7;
+      constructor(info8) {
+        this.info = info8;
      }
      prepare() {
        var _a;
@@ -77928,8 +77931,8 @@ var require_reflection_binary_writer = __commonJS({
    var assert_1 = require_assert();
    var pb_long_1 = require_pb_long();
    var ReflectionBinaryWriter = class {
-      constructor(info7) {
-        this.info = info7;
+      constructor(info8) {
+        this.info = info8;
      }
      prepare() {
        if (!this.fields) {
@@ -78179,9 +78182,9 @@ var require_reflection_merge_partial = __commonJS({
    "use strict";
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.reflectionMergePartial = void 0;
-    function reflectionMergePartial(info7, target, source) {
+    function reflectionMergePartial(info8, target, source) {
      let fieldValue, input = source, output;
-      for (let field of info7.fields) {
+      for (let field of info8.fields) {
        let name = field.localName;
        if (field.oneof) {
          const group = input[field.oneof];
@@ -78250,12 +78253,12 @@ var require_reflection_equals = __commonJS({
    Object.defineProperty(exports2, "__esModule", { value: true });
    exports2.reflectionEquals = void 0;
    var reflection_info_1 = require_reflection_info();
-    function reflectionEquals(info7, a, b) {
+    function reflectionEquals(info8, a, b) {
      if (a === b)
        return true;
      if (!a || !b)
        return false;
-      for (let field of info7.fields) {
+      for (let field of info8.fields) {
        let localName = field.localName;
        let val_a = field.oneof ? a[field.oneof][localName] : a[localName];
        let val_b = field.oneof ? b[field.oneof][localName] : b[localName];
@@ -91275,7 +91278,7 @@ var require_async = __commonJS({
        }
      }
      var sortBy$1 = awaitify(sortBy, 3);
-      function timeout(asyncFn, milliseconds, info7) {
+      function timeout(asyncFn, milliseconds, info8) {
        var fn = wrapAsync(asyncFn);
        return initialParams((args, callback) => {
          var timedOut = false;
@@ -91284,8 +91287,8 @@ var require_async = __commonJS({
            var name = asyncFn.name || "anonymous";
            var error3 = new Error('Callback function "' + name + '" timed out.');
            error3.code = "ETIMEDOUT";
-            if (info7) {
-              error3.info = info7;
+            if (info8) {
+              error3.info = info8;
            }
            timedOut = true;
            callback(error3);
@@ -114681,12 +114684,12 @@ var require_lib4 = __commonJS({
            throw new Error("Client has already been disposed.");
          }
          const parsedUrl = new URL(requestUrl);
-          let info7 = this._prepareRequest(verb, parsedUrl, headers);
+          let info8 = this._prepareRequest(verb, parsedUrl, headers);
          const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
          let numTries = 0;
          let response;
          do {
-            response = yield this.requestRaw(info7, data);
+            response = yield this.requestRaw(info8, data);
            if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
              let authenticationHandler;
              for (const handler2 of this.handlers) {
@@ -114696,7 +114699,7 @@ var require_lib4 = __commonJS({
                }
              }
              if (authenticationHandler) {
-                return authenticationHandler.handleAuthentication(this, info7, data);
+                return authenticationHandler.handleAuthentication(this, info8, data);
              } else {
                return response;
              }
@@ -114719,8 +114722,8 @@ var require_lib4 = __commonJS({
                  }
                }
              }
-              info7 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-              response = yield this.requestRaw(info7, data);
+              info8 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+              response = yield this.requestRaw(info8, data);
              redirectsRemaining--;
            }
            if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -114749,7 +114752,7 @@ var require_lib4 = __commonJS({
       * @param info
       * @param data
       */
-      requestRaw(info7, data) {
+      requestRaw(info8, data) {
        return __awaiter2(this, void 0, void 0, function* () {
          return new Promise((resolve13, reject) => {
            function callbackForResult(err, res) {
@@ -114761,7 +114764,7 @@ var require_lib4 = __commonJS({
                resolve13(res);
              }
            }
-            this.requestRawWithCallback(info7, data, callbackForResult);
+            this.requestRawWithCallback(info8, data, callbackForResult);
          });
        });
      }
@@ -114771,12 +114774,12 @@ var require_lib4 = __commonJS({
       * @param data
       * @param onResult
       */
-      requestRawWithCallback(info7, data, onResult) {
+      requestRawWithCallback(info8, data, onResult) {
        if (typeof data === "string") {
-          if (!info7.options.headers) {
-            info7.options.headers = {};
+          if (!info8.options.headers) {
+            info8.options.headers = {};
          }
-          info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+          info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
        }
        let callbackCalled = false;
        function handleResult(err, res) {
@@ -114785,7 +114788,7 @@ var require_lib4 = __commonJS({
            onResult(err, res);
          }
        }
-        const req = info7.httpModule.request(info7.options, (msg) => {
+        const req = info8.httpModule.request(info8.options, (msg) => {
          const res = new HttpClientResponse(msg);
          handleResult(void 0, res);
        });
@@ -114797,7 +114800,7 @@ var require_lib4 = __commonJS({
          if (socket) {
            socket.end();
          }
-          handleResult(new Error(`Request timeout: ${info7.options.path}`));
+          handleResult(new Error(`Request timeout: ${info8.options.path}`));
        });
        req.on("error", function(err) {
          handleResult(err);
@@ -114833,27 +114836,27 @@ var require_lib4 = __commonJS({
        return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
      }
      _prepareRequest(method, requestUrl, headers) {
-        const info7 = {};
-        info7.parsedUrl = requestUrl;
-        const usingSsl = info7.parsedUrl.protocol === "https:";
-        info7.httpModule = usingSsl ? https3 : http;
+        const info8 = {};
+        info8.parsedUrl = requestUrl;
+        const usingSsl = info8.parsedUrl.protocol === "https:";
+        info8.httpModule = usingSsl ? https3 : http;
        const defaultPort = usingSsl ? 443 : 80;
-        info7.options = {};
-        info7.options.host = info7.parsedUrl.hostname;
-        info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort;
-        info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || "");
-        info7.options.method = method;
-        info7.options.headers = this._mergeHeaders(headers);
+        info8.options = {};
+        info8.options.host = info8.parsedUrl.hostname;
+        info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort;
+        info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || "");
+        info8.options.method = method;
+        info8.options.headers = this._mergeHeaders(headers);
        if (this.userAgent != null) {
-          info7.options.headers["user-agent"] = this.userAgent;
+          info8.options.headers["user-agent"] = this.userAgent;
        }
-        info7.options.agent = this._getAgent(info7.parsedUrl);
+        info8.options.agent = this._getAgent(info8.parsedUrl);
        if (this.handlers) {
          for (const handler2 of this.handlers) {
-            handler2.prepareRequest(info7.options);
+            handler2.prepareRequest(info8.options);
          }
        }
-        return info7;
+        return info8;
      }
      _mergeHeaders(headers) {
        if (this.requestOptions && this.requestOptions.headers) {
@@ -121241,11 +121244,11 @@ var require_dist_node12 = __commonJS({
    }
    async function wrapRequest2(state, request3, options) {
      const limiter = new Bottleneck2();
-      limiter.on("failed", function(error3, info7) {
+      limiter.on("failed", function(error3, info8) {
        const maxRetries = ~~error3.request.request.retries;
        const after = ~~error3.request.request.retryAfter;
-        options.request.retryCount = info7.retryCount + 1;
-        if (maxRetries > info7.retryCount) {
+        options.request.retryCount = info8.retryCount + 1;
+        if (maxRetries > info8.retryCount) {
          return after * state.retryAfterBaseValue;
        }
      });
@@ -122453,12 +122456,12 @@ var require_lib5 = __commonJS({
            throw new Error("Client has already been disposed.");
          }
          const parsedUrl = new URL(requestUrl);
-          let info7 = this._prepareRequest(verb, parsedUrl, headers);
+          let info8 = this._prepareRequest(verb, parsedUrl, headers);
          const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
          let numTries = 0;
          let response;
          do {
-            response = yield this.requestRaw(info7, data);
+            response = yield this.requestRaw(info8, data);
            if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
              let authenticationHandler;
              for (const handler2 of this.handlers) {
@@ -122468,7 +122471,7 @@ var require_lib5 = __commonJS({
                }
              }
              if (authenticationHandler) {
-                return authenticationHandler.handleAuthentication(this, info7, data);
+                return authenticationHandler.handleAuthentication(this, info8, data);
              } else {
                return response;
              }
@@ -122491,8 +122494,8 @@ var require_lib5 = __commonJS({
                  }
                }
              }
-              info7 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-              response = yield this.requestRaw(info7, data);
+              info8 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+              response = yield this.requestRaw(info8, data);
              redirectsRemaining--;
            }
            if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -122521,7 +122524,7 @@ var require_lib5 = __commonJS({
       * @param info
       * @param data
       */
-      requestRaw(info7, data) {
+      requestRaw(info8, data) {
        return __awaiter2(this, void 0, void 0, function* () {
          return new Promise((resolve13, reject) => {
            function callbackForResult(err, res) {
@@ -122533,7 +122536,7 @@ var require_lib5 = __commonJS({
                resolve13(res);
              }
            }
-            this.requestRawWithCallback(info7, data, callbackForResult);
+            this.requestRawWithCallback(info8, data, callbackForResult);
          });
        });
      }
@@ -122543,12 +122546,12 @@ var require_lib5 = __commonJS({
       * @param data
       * @param onResult
       */
-      requestRawWithCallback(info7, data, onResult) {
+      requestRawWithCallback(info8, data, onResult) {
        if (typeof data === "string") {
-          if (!info7.options.headers) {
-            info7.options.headers = {};
+          if (!info8.options.headers) {
+            info8.options.headers = {};
          }
-          info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+          info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
        }
        let callbackCalled = false;
        function handleResult(err, res) {
@@ -122557,7 +122560,7 @@ var require_lib5 = __commonJS({
            onResult(err, res);
          }
        }
-        const req = info7.httpModule.request(info7.options, (msg) => {
+        const req = info8.httpModule.request(info8.options, (msg) => {
          const res = new HttpClientResponse(msg);
          handleResult(void 0, res);
        });
@@ -122569,7 +122572,7 @@ var require_lib5 = __commonJS({
          if (socket) {
            socket.end();
          }
-          handleResult(new Error(`Request timeout: ${info7.options.path}`));
+          handleResult(new Error(`Request timeout: ${info8.options.path}`));
        });
        req.on("error", function(err) {
          handleResult(err);
@@ -122605,27 +122608,27 @@ var require_lib5 = __commonJS({
        return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
      }
      _prepareRequest(method, requestUrl, headers) {
-        const info7 = {};
-        info7.parsedUrl = requestUrl;
-        const usingSsl = info7.parsedUrl.protocol === "https:";
-        info7.httpModule = usingSsl ? https3 : http;
+        const info8 = {};
+        info8.parsedUrl = requestUrl;
+        const usingSsl = info8.parsedUrl.protocol === "https:";
+        info8.httpModule = usingSsl ? https3 : http;
        const defaultPort = usingSsl ? 443 : 80;
-        info7.options = {};
-        info7.options.host = info7.parsedUrl.hostname;
-        info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort;
-        info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || "");
-        info7.options.method = method;
-        info7.options.headers = this._mergeHeaders(headers);
+        info8.options = {};
+        info8.options.host = info8.parsedUrl.hostname;
+        info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort;
+        info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || "");
+        info8.options.method = method;
+        info8.options.headers = this._mergeHeaders(headers);
        if (this.userAgent != null) {
-          info7.options.headers["user-agent"] = this.userAgent;
+          info8.options.headers["user-agent"] = this.userAgent;
        }
-        info7.options.agent = this._getAgent(info7.parsedUrl);
+        info8.options.agent = this._getAgent(info8.parsedUrl);
        if (this.handlers) {
          for (const handler2 of this.handlers) {
-            handler2.prepareRequest(info7.options);
+            handler2.prepareRequest(info8.options);
          }
        }
-        return info7;
+        return info8;
      }
      _mergeHeaders(headers) {
        if (this.requestOptions && this.requestOptions.headers) {
@@ -124615,10 +124618,10 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
      (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
    }
    exports2.notice = notice;
-    function info7(message) {
+    function info8(message) {
      process.stdout.write(message + os7.EOL);
    }
-    exports2.info = info7;
+    exports2.info = info8;
    function startGroup4(name) {
      (0, command_1.issue)("group", name);
    }
@@ -148062,13 +148065,42 @@ function asHTTPError(arg) {
  return void 0;
 }
 var cachedCodeQlVersion = void 0;
-function cacheCodeQlVersion(version) {
+function isVersionInfo(x) {
+  const candidate = x;
+  return typeof candidate === "object" && candidate !== null && typeof candidate.version === "string" && (candidate.features === void 0 || typeof candidate.features === "object" && candidate.features !== null) && (candidate.overlayVersion === void 0 || typeof candidate.overlayVersion === "number");
+}
+function isPersistedVersionInfo(x) {
+  const candidate = x;
+  return typeof candidate === "object" && candidate !== null && typeof candidate.cmd === "string" && isVersionInfo(candidate.version);
+}
+function cacheCodeQlVersion(cmd, version) {
  if (cachedCodeQlVersion !== void 0) {
    throw new Error("cacheCodeQlVersion() should be called only once");
  }
  cachedCodeQlVersion = version;
+  core3.exportVariable(
+    "CODEQL_ACTION_CLI_VERSION_INFO" /* CODEQL_VERSION_INFO */,
+    JSON.stringify({ cmd, version })
+  );
 }
-function getCachedCodeQlVersion() {
+function getCachedCodeQlVersion(cmd) {
+  if (cachedCodeQlVersion !== void 0) {
+    return cachedCodeQlVersion;
+  }
+  const serialized = process.env["CODEQL_ACTION_CLI_VERSION_INFO" /* CODEQL_VERSION_INFO */];
+  if (!serialized) {
+    return void 0;
+  }
+  let persisted;
+  try {
+    persisted = JSON.parse(serialized);
+  } catch {
+    return void 0;
+  }
+  if (!isPersistedVersionInfo(persisted) || cmd !== void 0 && persisted.cmd !== cmd) {
+    return void 0;
+  }
+  cachedCodeQlVersion = persisted.version;
  return cachedCodeQlVersion;
 }
 async function codeQlVersionAtLeast(codeql, requiredVersion) {
@@ -148669,11 +148701,11 @@ async function errorRequest(state, octokit, error3, options) {
 }
 async function wrapRequest(state, octokit, request3, options) {
  const limiter = new import_light.default();
-  limiter.on("failed", function(error3, info7) {
+  limiter.on("failed", function(error3, info8) {
    const maxRetries = ~~error3.request.request?.retries;
    const after = ~~error3.request.request?.retryAfter;
-    options.request.retryCount = info7.retryCount + 1;
-    if (maxRetries > info7.retryCount) {
+    options.request.retryCount = info8.retryCount + 1;
+    if (maxRetries > info8.retryCount) {
      return after * state.retryAfterBaseValue;
    }
  });
@@ -148930,8 +148962,8 @@ function wrapApiConfigurationError(e) {
 }

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.5";
-var cliVersion = "2.25.5";
+var bundleVersion = "codeql-bundle-v2.25.6";
+var cliVersion = "2.25.6";

 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
@@ -149396,6 +149428,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["force_jgit" /* ForceJGit */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_JGIT",
+    minimumVersion: void 0
+  },
  ["force_nightly" /* ForceNightly */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
@@ -153873,7 +153910,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
      return cmd;
    },
    async getVersion() {
-      let result = getCachedCodeQlVersion();
+      let result = getCachedCodeQlVersion(cmd);
      if (result === void 0) {
        const output = await runCli(cmd, ["version", "--format=json"], {
          noStreamStdout: true
@@ -153885,12 +153922,12 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            `Invalid JSON output from \`version --format=json\`: ${output}`
          );
        }
-        cacheCodeQlVersion(result);
+        cacheCodeQlVersion(cmd, result);
      }
      return result;
    },
    async printVersion() {
-      await runCli(cmd, ["version", "--format=json"]);
+      core11.info(JSON.stringify(await this.getVersion(), null, 2));
    },
    async supportsFeature(feature) {
      return isSupportedToolsFeature(await this.getVersion(), feature);
@@ -157498,22 +157535,20 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs21.writeFileSync(outputFile, sarifPayload);
 }
-var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
-var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
+var STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS = 5 * 1e3;
+var STATUS_CHECK_BACKOFF_MULTIPLIER = 2;
+var STATUS_CHECK_MAX_TRIES = 5;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
  isUnsuccessfulExecution: false
 }) {
  logger.startGroup("Waiting for processing to finish");
  try {
    const client = getApiClient();
-    const statusCheckingStarted = Date.now();
-    while (true) {
-      if (Date.now() > statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS) {
-        logger.warning(
-          "Timed out waiting for analysis to finish processing. Continuing."
-        );
-        break;
-      }
+    let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS;
+    if (process.env["NODE_ENV"] !== "test") {
+      await delay(statusCheckBackoff, { allowProcessExit: false });
+    }
+    for (let statusCheckCount = 1; statusCheckCount <= STATUS_CHECK_MAX_TRIES; statusCheckCount++) {
      let response = void 0;
      try {
        response = await client.request(
@@ -157551,9 +157586,15 @@ ${response.data.errors}`;
      } else {
        assertNever(status);
      }
-      await delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, {
-        allowProcessExit: false
-      });
+      if (statusCheckCount === STATUS_CHECK_MAX_TRIES) {
+        logger.warning(
+          "Timed out waiting for analysis to finish processing. Continuing."
+        );
+        break;
+      } else {
+        statusCheckBackoff *= STATUS_CHECK_BACKOFF_MULTIPLIER;
+        await delay(statusCheckBackoff, { allowProcessExit: false });
+      }
    }
  } finally {
    logger.endGroup();
@@ -159357,6 +159398,9 @@ exec ${goBinaryPath} "$@"`
    if (await features.getValue("disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */)) {
      core21.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
    }
+    if (await features.getValue("force_jgit" /* ForceJGit */)) {
+      core21.exportVariable("CODEQL_GIT_BACKEND", "jgit");
+    }
    const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
    if (await codeQlVersionAtLeast(codeql, "2.20.3") && !await codeQlVersionAtLeast(codeql, "2.20.4")) {
      core21.exportVariable(kotlinLimitVar, "2.1.20");
@@ -32,7 +32,7 @@
        "jsonschema": "1.5.0",
        "long": "^5.3.2",
        "node-forge": "^1.4.0",
-        "semver": "^7.8.0",
+        "semver": "^7.8.1",
        "uuid": "^14.0.0"
      },
      "devDependencies": {
@@ -61,7 +61,7 @@
        "nock": "^14.0.15",
        "sinon": "^22.0.0",
        "typescript": "^6.0.3",
-        "typescript-eslint": "^8.59.4"
+        "typescript-eslint": "^8.60.0"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -2528,17 +2528,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.4.tgz",
-      "integrity": "sha512-PegsU+XfyJJNjd4+u/k6f9yTyp0lEXXiPopUNobZcIAUJFGICFLN+sP0Rb3JehVmiij1Ph0dFGYqODoRo/2+6A==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.60.0.tgz",
+      "integrity": "sha512-QYb/sa74/s7OKMbACMjrYnGspj9Hs5YI5aaffSL65UfeBUzVzBJfVo3oWSpbzPurvm7yaCCo2Lk7lVj610HqKw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/type-utils": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/scope-manager": "8.60.0",
+        "@typescript-eslint/type-utils": "8.60.0",
+        "@typescript-eslint/utils": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0",
        "ignore": "^7.0.5",
        "natural-compare": "^1.4.0",
        "ts-api-utils": "^2.5.0"
@@ -2551,7 +2551,7 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.59.4",
+        "@typescript-eslint/parser": "^8.60.0",
        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
        "typescript": ">=4.8.4 <6.1.0"
      }
@@ -2567,16 +2567,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.4.tgz",
-      "integrity": "sha512-zORHqO/tuhxY1zWuTvMUqddRxpiFJ72xVfcNoWpqdLjs6lfPbuQBJuW4pk+49/uBMy7Ssr4bzgjiKmmDB1UbZQ==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.60.0.tgz",
+      "integrity": "sha512-fcqpj/MyK4sxDPcbe7STNPbpQL4RLZOPWuaTmwZYuc+hJKzRf58yRxfhqGpc6PIq9ZyfSBpfHgmUHmHs0KwHwg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/scope-manager": "8.60.0",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2610,14 +2610,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.4.tgz",
-      "integrity": "sha512-Ly00Vu4oAacfDeHp2Zg85ioNG6l8HG+tN1D7J+xTHSxu9y0awYKJ2zH1rFBn8ZSfuGK+7FxK3Cgl3uAz0aZZLg==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.0.tgz",
+      "integrity": "sha512-aZu74NNKJeUWqCjDddzdiKaS82dgYgV/vmf+Ui3ZdZejmgfXR/q+pRumgobnQ2cCJTgGTWp4ypiwsuofFubavg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.59.4",
-        "@typescript-eslint/types": "^8.59.4",
+        "@typescript-eslint/tsconfig-utils": "^8.60.0",
+        "@typescript-eslint/types": "^8.60.0",
        "debug": "^4.4.3"
      },
      "engines": {
@@ -2650,14 +2650,14 @@
      }
    },
    "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.4.tgz",
-      "integrity": "sha512-mUeR/3H1WrTAddJrwut8OoPjfauaztMQmRwV5fQTUyNVJCLiUXXe4lGEyYIL2oFDpP7UtgbGJXCt72wT0z2S3Q==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.0.tgz",
+      "integrity": "sha512-pFzqhllJMs+jghLQWzV00ds39xLzuyqPSev5pd8f4Ir0rtKR3ZLUB4/4dhjOFighWb9larvtfJvqL+4yKDI3Xw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4"
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2668,9 +2668,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.4.tgz",
-      "integrity": "sha512-DLCpnKgD4alVxTBSKulK+gU1KCqOgUXfDRDXh2mZgzokQKa/70ax93I2uVO3m/LLvIAtWZIFoiifudmIqAxpMA==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.0.tgz",
+      "integrity": "sha512-BZPR3RGYlAXnly6ymAxfkVn5rCbZzQNou0rxv3GfWZ8cTQp+hhVd73khbGLAd8k1TlAPLISH337M+tAgAnaJDQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2685,15 +2685,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.4.tgz",
-      "integrity": "sha512-uonTuPAAKr9XaBGqJ3LjYTh72zy5DyGesljO9gtmk/eFW0W1fRHjnwVYKB35Lm8d5Q5CluEW3gPHjTvZTmgrfA==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.60.0.tgz",
+      "integrity": "sha512-SX46wEUtitCpq7AN38HkUU/+zvUpdKf7ephtWAFgckH8O7PQIyL5gvrhQgBLuEYgLfuKWOVvWVskMbuFHAz5xg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0",
+        "@typescript-eslint/utils": "8.60.0",
        "debug": "^4.4.3",
        "ts-api-utils": "^2.5.0"
      },
@@ -2728,9 +2728,9 @@
      }
    },
    "node_modules/@typescript-eslint/types": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.4.tgz",
-      "integrity": "sha512-F1o7WJcCq+bc8dwcO/YsSEOudAH8RDtaOhM6wcAQhcUsFhnWQl81JKy48q1hoxAU0qrzM89+31GYh1515Zde3Q==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz",
+      "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2742,16 +2742,16 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.4.tgz",
-      "integrity": "sha512-F+RuOmcDXo4+TPdfd/TCLS3m2nw8gE9XXyZLrA3JBfaA5tz9TtdkyD3YJFmPxulyc2cKbEok/CvFE3MgSLWnag==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.0.tgz",
+      "integrity": "sha512-3AcZNBGMClm6CXDyo8kYvVGT/sx29sS0oBsIb9oZI2gunA4Vm2M3YHzRLPvsUBBsl+yB5FPtltq7gGH0iTlp9g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.59.4",
-        "@typescript-eslint/tsconfig-utils": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/visitor-keys": "8.59.4",
+        "@typescript-eslint/project-service": "8.60.0",
+        "@typescript-eslint/tsconfig-utils": "8.60.0",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/visitor-keys": "8.60.0",
        "debug": "^4.4.3",
        "minimatch": "^10.2.2",
        "semver": "^7.7.3",
@@ -2827,16 +2827,16 @@
      }
    },
    "node_modules/@typescript-eslint/utils": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.4.tgz",
-      "integrity": "sha512-cYXeNAUsG4lJo5dbc1FcKm+JwIWrj1/UpTORsC6tGMjEZ81DYcvIr9/ueikhMa/Y/gDQYGp+YX9/xQrXje5BJw==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.60.0.tgz",
+      "integrity": "sha512-HtXuPfrHTyBDkameWpl+vJb1Uevu2tznAyahM1Oc4AENidCLTPiZDWIo4GfcxNdC/RcfGcadzzkqbRG87dUrQA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.59.4",
-        "@typescript-eslint/types": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4"
+        "@typescript-eslint/scope-manager": "8.60.0",
+        "@typescript-eslint/types": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2851,13 +2851,13 @@
      }
    },
    "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.4.tgz",
-      "integrity": "sha512-U3gxVaDVnuZKhSspW/MzMxE1kq7zOdc072FcSNoqA1I9p8HyKbBFfEHoWckBAMgNMph4MamwS5iTVzFmrnt8TQ==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz",
+      "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.59.4",
+        "@typescript-eslint/types": "8.60.0",
        "eslint-visitor-keys": "^5.0.0"
      },
      "engines": {
@@ -8311,9 +8311,9 @@
      }
    },
    "node_modules/semver": {
-      "version": "7.8.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
-      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
+      "version": "7.8.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
+      "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
@@ -9292,16 +9292,16 @@
      }
    },
    "node_modules/typescript-eslint": {
-      "version": "8.59.4",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.4.tgz",
-      "integrity": "sha512-Rw6+44QNFaXtgHSjPy+Kw8hrJniMYzR85E9yLmOLcfZ91/rz+JXQbDTCmc6ccxMPY6K6PgAq26f0JCBfR7LIPQ==",
+      "version": "8.60.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.60.0.tgz",
+      "integrity": "sha512-9f65qWLZdAW9m1JaxBDUHcqRUfL8bkxxXL7XxEfI+F09q56PkBvIfCjLF3yInsDM/BBmwkqmCQdCZe/RYlIWEw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.59.4",
-        "@typescript-eslint/parser": "8.59.4",
-        "@typescript-eslint/typescript-estree": "8.59.4",
-        "@typescript-eslint/utils": "8.59.4"
+        "@typescript-eslint/eslint-plugin": "8.60.0",
+        "@typescript-eslint/parser": "8.60.0",
+        "@typescript-eslint/typescript-estree": "8.60.0",
+        "@typescript-eslint/utils": "8.60.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -40,7 +40,7 @@
    "jsonschema": "1.5.0",
    "long": "^5.3.2",
    "node-forge": "^1.4.0",
-    "semver": "^7.8.0",
+    "semver": "^7.8.1",
    "uuid": "^14.0.0"
  },
  "devDependencies": {
@@ -69,7 +69,7 @@
    "nock": "^14.0.15",
    "sinon": "^22.0.0",
    "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.4"
+    "typescript-eslint": "^8.60.0"
  },
  "overrides": {
    "@actions/tool-cache": {
@@ -5,7 +5,7 @@ versions:
  - default
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0
+    uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -523,7 +523,7 @@ async function getCodeQLForCmd(
      return cmd;
    },
    async getVersion() {
-      let result = util.getCachedCodeQlVersion();
+      let result = util.getCachedCodeQlVersion(cmd);
      if (result === undefined) {
        const output = await runCli(cmd, ["version", "--format=json"], {
          noStreamStdout: true,
@@ -535,12 +535,13 @@ async function getCodeQLForCmd(
            `Invalid JSON output from \`version --format=json\`: ${output}`,
          );
        }
-        util.cacheCodeQlVersion(result);
+        util.cacheCodeQlVersion(cmd, result);
      }
      return result;
    },
    async printVersion() {
-      await runCli(cmd, ["version", "--format=json"]);
+      // Reuse the cached version information rather than invoking the CLI again.
+      core.info(JSON.stringify(await this.getVersion(), null, 2));
    },
    async supportsFeature(feature: ToolsFeature) {
      return isSupportedToolsFeature(await this.getVersion(), feature);
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.5",
-  "cliVersion": "2.25.5",
-  "priorBundleVersion": "codeql-bundle-v2.25.4",
-  "priorCliVersion": "2.25.4"
+  "bundleVersion": "codeql-bundle-v2.25.6",
+  "cliVersion": "2.25.6",
+  "priorBundleVersion": "codeql-bundle-v2.25.5",
+  "priorCliVersion": "2.25.5"
 }
@@ -17,6 +17,12 @@ export enum EnvVar {
   */
  CLI_VERBOSITY = "CODEQL_VERBOSITY",

+  /**
+   * `PersistedVersionInfo` for the CodeQL CLI, so later Actions steps can reuse it instead of
+   * invoking `codeql version` again.
+   */
+  CODEQL_VERSION_INFO = "CODEQL_ACTION_CLI_VERSION_INFO",
+
  /** Whether the CodeQL Action has invoked the Go autobuilder. */
  DID_AUTOBUILD_GOLANG = "CODEQL_ACTION_DID_AUTOBUILD_GOLANG",

@@ -82,6 +82,11 @@ export enum Feature {
  DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
  DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
  ExportDiagnosticsEnabled = "export_diagnostics_enabled",
+  /**
+   * Emergency override that forces the CodeQL CLI to use the JGit-based Git backend instead of its
+   * default backend selection.
+   */
+  ForceJGit = "force_jgit",
  ForceNightly = "force_nightly",
  IgnoreGeneratedFiles = "ignore_generated_files",
  JavaNetworkDebugging = "java_network_debugging",
@@ -224,6 +229,11 @@ export const featureConfig = {
    legacyApi: true,
    minimumVersion: undefined,
  },
+  [Feature.ForceJGit]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_FORCE_JGIT",
+    minimumVersion: undefined,
+  },
  [Feature.ForceNightly]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_FORCE_NIGHTLY",
@@ -614,6 +614,11 @@ async function run(startedAt: Date) {
      core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
    }

+    // Emergency override to force the CodeQL CLI back to the JGit-based Git backend.
+    if (await features.getValue(Feature.ForceJGit)) {
+      core.exportVariable("CODEQL_GIT_BACKEND", "jgit");
+    }
+
    const kotlinLimitVar =
      "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
    if (
@@ -32,6 +32,7 @@ import {
  GitHubVariant,
  GitHubVersion,
  HTTPError,
+  resetCachedCodeQlVersion,
 } from "./util";

 export const SAMPLE_DOTCOM_API_DETAILS = {
@@ -101,6 +102,10 @@ export function setupTests(testFn: TestFn<any>) {
    // unless the test explicitly sets one up.
    codeql.setCodeQL({});

+    // Reset the in-process CodeQL version cache so that it doesn't leak between
+    // tests, which each represent a separate Actions step in production.
+    resetCachedCodeQlVersion();
+
    // Replace stdout and stderr so we can record output during tests
    t.context.testOutput = "";
    const processStdoutWrite = process.stdout.write.bind(process.stdout);
@@ -829,8 +829,10 @@ function dumpSarifFile(
  fs.writeFileSync(outputFile, sarifPayload);
 }

-const STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1000;
-const STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1000;
+// Should lead to status checks after 5s, 15s, 35s, 75s, and 155s.
+const STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS = 5 * 1000;
+const STATUS_CHECK_BACKOFF_MULTIPLIER = 2;
+const STATUS_CHECK_MAX_TRIES = 5;

 type ProcessingStatus = "pending" | "complete" | "failed";

@@ -854,20 +856,17 @@ export async function waitForProcessing(
  try {
    const client = api.getApiClient();

-    const statusCheckingStarted = Date.now();
-    while (true) {
-      if (
-        Date.now() >
-        statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS
-      ) {
-        // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing.
-        // It's possible the analysis will eventually finish processing, but it's not worth spending more
-        // Actions time waiting.
-        logger.warning(
-          "Timed out waiting for analysis to finish processing. Continuing.",
-        );
-        break;
-      }
+    // Do an initial wait because processing will always take a minimum of 2-3 seconds
+    let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS;
+    if (process.env["NODE_ENV"] !== "test") {
+      await util.delay(statusCheckBackoff, { allowProcessExit: false });
+    }
+
+    for (
+      let statusCheckCount = 1;
+      statusCheckCount <= STATUS_CHECK_MAX_TRIES;
+      statusCheckCount++
+    ) {
      let response: OctokitResponse<any> | undefined = undefined;
      try {
        response = await client.request(
@@ -912,9 +911,18 @@ export async function waitForProcessing(
        util.assertNever(status);
      }

-      await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, {
-        allowProcessExit: false,
-      });
+      if (statusCheckCount === STATUS_CHECK_MAX_TRIES) {
+        // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing.
+        // It's possible the analysis will eventually finish processing, but it's not worth spending more
+        // Actions time waiting.
+        logger.warning(
+          "Timed out waiting for analysis to finish processing. Continuing.",
+        );
+        break;
+      } else {
+        statusCheckBackoff *= STATUS_CHECK_BACKOFF_MULTIPLIER;
+        await util.delay(statusCheckBackoff, { allowProcessExit: false });
+      }
    }
  } finally {
    logger.endGroup();
@@ -532,3 +532,58 @@ test("Failure.orElse returns the default value for a failure result", (t) => {
  const result = new util.Failure(new Error("test error"));
  t.is(result.orElse("default value"), "default value");
 });
+
+test.serial(
+  "getCachedCodeQlVersion reuses a version persisted by an earlier step",
+  (t) => {
+    process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({
+      cmd: "/path/to/codeql",
+      version: { version: "2.20.0" },
+    });
+    t.deepEqual(util.getCachedCodeQlVersion("/path/to/codeql"), {
+      version: "2.20.0",
+    });
+  },
+);
+
+test.serial(
+  "getCachedCodeQlVersion ignores a persisted version from a different CLI",
+  (t) => {
+    process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({
+      cmd: "/path/to/other-codeql",
+      version: { version: "2.20.0" },
+    });
+    t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined);
+  },
+);
+
+test.serial(
+  "getCachedCodeQlVersion ignores a malformed persisted value",
+  (t) => {
+    process.env[EnvVar.CODEQL_VERSION_INFO] = "not valid json";
+    t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined);
+  },
+);
+
+test.serial(
+  "getCachedCodeQlVersion ignores a persisted value with the wrong structure",
+  (t) => {
+    for (const value of [
+      JSON.stringify({ cmd: "/path/to/codeql" }),
+      JSON.stringify({ cmd: "/path/to/codeql", version: {} }),
+      JSON.stringify({ cmd: "/path/to/codeql", version: { version: 2 } }),
+      JSON.stringify({ version: { version: "2.20.0" } }),
+      JSON.stringify({
+        cmd: "/path/to/codeql",
+        version: { version: "2.20.0", overlayVersion: "1" },
+      }),
+      JSON.stringify({
+        cmd: "/path/to/codeql",
+        version: { version: "2.20.0", features: "nope" },
+      }),
+    ]) {
+      process.env[EnvVar.CODEQL_VERSION_INFO] = value;
+      t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined, value);
+    }
+  },
+);
@@ -619,14 +619,85 @@ export function asHTTPError(arg: any): HTTPError | undefined {

 let cachedCodeQlVersion: undefined | VersionInfo = undefined;

-export function cacheCodeQlVersion(version: VersionInfo): void {
+/**
+ * Resets the in-process cache of the CodeQL CLI version. Only for use in tests,
+ * which exercise multiple "steps" within a single process.
+ */
+export function resetCachedCodeQlVersion(): void {
+  cachedCodeQlVersion = undefined;
+}
+
+/** The persisted version together with the CLI path it was obtained from. */
+interface PersistedVersionInfo {
+  cmd: string;
+  version: VersionInfo;
+}
+
+function isVersionInfo(x: unknown): x is VersionInfo {
+  const candidate = x as Partial<VersionInfo> | null;
+  return (
+    typeof candidate === "object" &&
+    candidate !== null &&
+    typeof candidate.version === "string" &&
+    (candidate.features === undefined ||
+      (typeof candidate.features === "object" &&
+        candidate.features !== null)) &&
+    (candidate.overlayVersion === undefined ||
+      typeof candidate.overlayVersion === "number")
+  );
+}
+
+function isPersistedVersionInfo(x: unknown): x is PersistedVersionInfo {
+  const candidate = x as Partial<PersistedVersionInfo> | null;
+  return (
+    typeof candidate === "object" &&
+    candidate !== null &&
+    typeof candidate.cmd === "string" &&
+    isVersionInfo(candidate.version)
+  );
+}
+
+export function cacheCodeQlVersion(cmd: string, version: VersionInfo): void {
  if (cachedCodeQlVersion !== undefined) {
    throw new Error("cacheCodeQlVersion() should be called only once");
  }
  cachedCodeQlVersion = version;
+  // Persist the version so that subsequent Actions steps, which run in separate
+  // processes, can reuse it rather than invoking `codeql version` again. We
+  // record the CLI path so that a different step using a different CodeQL bundle
+  // doesn't pick up a stale version.
+  core.exportVariable(
+    EnvVar.CODEQL_VERSION_INFO,
+    JSON.stringify({ cmd, version }),
+  );
 }

-export function getCachedCodeQlVersion(): undefined | VersionInfo {
+export function getCachedCodeQlVersion(cmd?: string): undefined | VersionInfo {
+  if (cachedCodeQlVersion !== undefined) {
+    return cachedCodeQlVersion;
+  }
+  // Fall back to the value persisted by an earlier Actions step, if any. This is
+  // best-effort: any malformed or mismatched value is ignored so that the caller
+  // invokes `codeql version` instead.
+  const serialized = process.env[EnvVar.CODEQL_VERSION_INFO];
+  if (!serialized) {
+    return undefined;
+  }
+  let persisted: unknown;
+  try {
+    persisted = JSON.parse(serialized);
+  } catch {
+    return undefined;
+  }
+  if (
+    !isPersistedVersionInfo(persisted) ||
+    (cmd !== undefined && persisted.cmd !== cmd)
+  ) {
+    return undefined;
+  }
+  // Memoize the parsed value so that subsequent calls in this process don't
+  // re-parse the environment variable.
+  cachedCodeQlVersion = persisted.version;
  return cachedCodeQlVersion;
 }
Author	SHA1	Message	Date
github-actions[bot]	8aeff0ffb7	Update changelog for v4.36.2	2026-06-04 11:17:27 +00:00
Henry Mercer	dcb947ce15	Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6 Update default bundle to 2.25.6	2026-06-04 10:56:27 +00:00
github-actions[bot]	c251bcefa1	Add changelog note	2026-06-04 10:43:06 +00:00
github-actions[bot]	62953c18b3	Update default bundle to codeql-bundle-v2.25.6	2026-06-04 10:42:59 +00:00
Henry Mercer	423b570baf	Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a028b Bump the npm-minor group across 1 directory with 2 updates	2026-06-04 10:38:05 +00:00
Henry Mercer	c35d1b1644	Merge pull request #3947 from github/dependabot/github_actions/dot-github/workflows/actions-minor-3d0b6ad432 Bump ruby/setup-ruby from 1.307.0 to 1.310.0 in /.github/workflows in the actions-minor group across 1 directory	2026-06-04 10:10:18 +00:00
Robert	cb1a588b02	Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoff Change waitForProcessing to use exponential backoff	2026-06-04 10:06:49 +00:00
Henry Mercer	ba47406412	Merge pull request #3943 from github/henrymercer/cache-cli-version-info Cache CLI version information across Actions steps	2026-06-04 09:58:34 +00:00
Henry Mercer	5be8119767	Merge pull request #3938 from github/henrymercer/git-client-feature-flag Add FF to force JGit-based Git backend	2026-06-04 09:58:15 +00:00
Robert	6047ac775f	Merge branch 'main' into robertbrignull/waitForProcessing_backoff	2026-06-04 10:35:04 +01:00
github-actions[bot]	af7b8f37ea	Rebuild	2026-06-04 02:43:57 +00:00
dependabot[bot]	3569f75599	Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/6aaa311d81eba98ae12eaffbcb63296ace0efcde...afeafc3d1ab54a631816aba4c914a0081c12ff2f) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.310.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-04 02:42:04 +00:00
github-actions[bot]	acb38f7265	Rebuild	2026-06-04 02:40:00 +00:00
dependabot[bot]	dd9e36c0d3	Bump the npm-minor group across 1 directory with 2 updates Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `semver` from 7.8.0 to 7.8.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.8.0...v7.8.1) Updates `typescript-eslint` from 8.59.4 to 8.60.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.60.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-04 02:38:09 +00:00
Henry Mercer	5ccef82244	Address review comments	2026-06-03 18:31:11 +01:00
Henry Mercer	bab673d0e0	Cache CLI version information across Actions steps	2026-06-02 19:27:05 +01:00
Robert	d40e417f3c	Only do initial wait when not running tests	2026-06-01 16:43:42 +01:00
Henry Mercer	948a63aed1	Add FF to force JGit-based Git backend	2026-06-01 15:20:13 +01:00
Robert	dfc14113e3	Change waitForProcessing to use exponential backoff	2026-05-28 11:15:07 +01:00