v2.11.3

Breaking changes

• The codeql pack ls --format json deep plumbing command now returns only the name and version properties for each found pack.

Potentially breaking changes

• codeql pack download, codeql pack install, and codeql pack add will ignore CodeQL packs with pre-release versions, unless the --allow-prerelease option is passed to the command. This brings these commands into alignment with codeql pack publish that will avoid publishing CodeQL packs with pre-release versions unless the --allow-prerelease option is specified.

Deprecations

• The --[no-]fast-compilation option to codeql query compile is now deprecated.

New features

• codeql resolve files and codeql database index-files have a new --find-any option, which finds at most one match.

Miscellaneous

• The build of Apache Commons Text that is bundled with the CodeQL CLI has been updated to version 1.10.0. While previous releases shipped with version 1.6 of the library, no part of the CodeQL CLI references the StringSubstitutor class that the recently disclosed CVE-2022-42889 vulnerability applies to. We therefore do not believe that running previous releases of CodeQL exposes users to this vulnerability.
• The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.5.

For more information about the changes included in this release, see the CodeQL CLI changelog.

You can download either the codeql-PLATFORM.zip for your platform, or the generic codeql.zip which contains binaries for all supported platforms. Please ignore the additional "source code" downloads below the .zip artifacts.

This release is compatible with the CodeQL language packs from github/codeql@codeql-cli/v2.11.3.