Bump github/codeql-action from 3.28.18 to 3.28.19 #132

dependabot · 2025-06-03T14:12:23Z

Bumps github/codeql-action from 3.28.18 to 3.28.19.

Release notes

Sourced from github/codeql-action's releases.

v3.28.19

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.19 - 03 Jun 2025

The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview. The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable actions analysis.

Update default CodeQL bundle version to 2.21.4. #2910

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.19 - 03 Jun 2025

The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview. The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable actions analysis.

Update default CodeQL bundle version to 2.21.4. #2910

3.28.18 - 16 May 2025

Update default CodeQL bundle version to 2.21.3. #2893

Skip validating SARIF produced by CodeQL for improved performance. #2894

The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #2891

3.28.17 - 02 May 2025

Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.

Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

Update default CodeQL bundle version to 2.20.6. #2793

... (truncated)

Commits

fca7ace Merge pull request #2918 from github/update-v3.28.19-4a00331d4
1dcd2be Update changelog for v3.28.19
4a00331 Merge pull request #2910 from github/update-bundle/codeql-bundle-v2.21.4
c0a821d Add changelog note
d621686 Update default bundle to codeql-bundle-v2.21.4
dc138d4 Merge pull request #2913 from github/henrymercer/win-2019-deprecated
3201e46 Stop running CI on windows-2019
7fd6215 Merge pull request #2911 from github/update-supported-enterprise-server-versions
31eae5e Update supported GitHub Enterprise Server versions
bc02a25 Merge pull request #2908 from github/henrymercer/dependabot
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands an 8000 d options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.18 to 3.28.19. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ff0a06e...fca7ace) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.19 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2025-06-03T14:12:40Z

👋 Thanks for opening a pull request! I try to review this repo at least once a week.

…on-3.28.19

github-actions · 2025-06-08T18:24:39Z

Deleted: /tmp/prior-commit/actions-extractor/tools/autobuild.sh [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
-MEDIUM	exec/shell/exec	executes shell	/bin/sh

Deleted: /tmp/prior-commit/node_modules/@octokit/webhooks/dist-src/middleware/web/on-unhandled-request-default.js [🔵 LOW]

RISK	KEY	DESCRIPTION	EVIDENCE
-LOW	data/encoding/json_encode	encodes JSON	JSON.stringify

Deleted: /tmp/prior-commit/actions-extractor/tools/autobuild.cmd [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
-MEDIUM	exec/shell/power	runs powershell scripts	powershell

Added: /tmp/current-commit/node_modules/@octokit/webhooks/dist-src/middleware/create-middleware.js [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
+MEDIUM	net/http/form_upload	upload content via HTTP form	application/json POST
+MEDIUM	net/http/post	submits content to websites	Content-Type POST http
+MEDIUM	net/http/webhook	supports webhooks	octokitWebhooksMiddleware processWebhook webhooks
+LOW	data/encoding/json_encode	encodes JSON	JSON.stringify
+LOW	net/http	Uses the HTTP protocol	http
+LOW	net/url/embedded	contains embedded HTTP URLs	http://localhost
+LOW	net/url/parse	Handles URL strings	new URL

Changed (20 added, 0 removed): /tmp/current-commit/node_modules/prettier/plugins/flow.js [🔵 → 🛑 HIGH]

20 new behaviors

RISK	KEY	DESCRIPTION	EVIDENCE
+HIGH	anti-static/obfuscation/bitwise	uses an excessive amount of unsigned bitwise math	function( charAt(t charAt(c charAt(W r>>>12 v>>>32 r>>>16 r>>>17 x>>>19 v>>>12 v>>>18 r>>>18 x>>>24 x>>>16 c>>>0 m>>>0 r>>>6 v>>>6 k>>>0 c>>>6 a>>>6 j>>>6 e>>>0 t>>>0 v>>>0 a>>>0 i>>>0 u>>>0 h>>>3 l>>>0 r>>>0 b>>>0 x>>>0 n>>>0 o>>>0 j>>>0 h>>>0 o>>>1 i>>>1 i>>>8
+MEDIUM	anti-static/obfuscation/hex	many references to hexadecimal values	0xd1342543 0xdaba0b6e \x00 \x7f \xff \xEF \xBF \xBD \x07 \x1B
+MEDIUM	anti-static/obfuscation/js	high entropy javascript (>5.37) that uses charAt/substr/join loops	function( substr( charAt( join( for(
+MEDIUM	anti-static/obfuscation/math	suspicious junk math	var dq=1000000010; charAt (e+1) (t+1) (t+2) (T+1) (h+1) (v+1) (i+1) (c+1) (r+1)
+MEDIUM	anti-static/obfuscation/strtoi	complex math and string to integer conversion	4294967295Math r^4294967295 5072014e-324 u-56613888 i-63447168 parseInt width10 t-925824 case-12 prec*10 case-11 t-12416 64-bit dt-124 ox-38 s0-81 Sa-60 F-92 c-34 24-x x-48 48-x x-24 10+u x-55 x-87 u+64 x-32 32-m 64-K e-80 x-66 x-79 x-35 64-t b-99 t-68 h-17 T-73 r-62 e-15 h-82 e-50 v-54 t-49
+MEDIUM	anti-static/obfuscation/utf16	complex math and utf16 code unit conversion	4294967295Math fromCharCode 5072014e-324 r^4294967295 i-63447168 u-56613888 width10 t-925824 prec*10 case-11 case-12 t-12416 dt-124 64-bit s0-81 Sa-60 ox-38 x-79 x-24 x-48 x-55 x-87 u+64 64-t 32-m x-32 c-34 e-80 x-66 x-35 F-92 64-K 24-x b-99 t-68 h-17 T-73 r-62 e-15 h-82 e-50 v-54 t-49 10+u 48-x
+MEDIUM	data/encoding/utf16	assembles strings from UTF-16 code units	[=String.fromCharCode(LD
+MEDIUM	discover/system/platform	get system identification	process.platform process.versions
+MEDIUM	fs/path/dev	path reference within /dev	/dev/stdin
+LOW	anti-behavior/random_behavior	uses a random number generator	getRandomValues randomBytes
+LOW	crypto/public_key	references a 'public key'	PublicKey
+LOW	data/encoding/int	parses integers	parseInt(
+LOW	exec/plugin	references a 'plugin'	prettierPlugins
+LOW	fs/directory/create	creates directories	mkdir
+LOW	fs/directory/list	Uses NodeJS functions to list a directory	.readdirSync(
+LOW	fs/directory/remove	Uses libc functions to remove directories	rmdir
+LOW	fs/file/delete	deletes files	unlink
+LOW	fs/file/stat	access filesystem metadata	fs.statSync(this.nm(x)).isDirectory() fs.statSync(this.nm(x)).isFile()
+LOW	fs/link_read	read value of a symbolic link	readlink
+LOW	fs/tempdir	looks up location of temp directory	TMPDIR

Changed (0 added, 1 removed): /tmp/current-commit/node_modules/es-abstract/2024/ToUint8Clamp.js [🛑 HIGH → 🔵 LOW]

1 removed behavior

RISK	KEY	DESCRIPTION	EVIDENCE
-HIGH	anti-static/obfuscation/js	javascript function obfuscation (hex)	return 0xFF

Moved: /tmp/prior-commit/node_modules/@octokit/webhooks/dist-types/middleware/node/middleware.d.ts -> /tmp/current-commit/node_modules/@octokit/webhooks/dist-types/middleware/create-middleware.d.ts (similarity: 0.92)

1 removed behavior

RISK	KEY	DESCRIPTION	EVIDENCE
-LOW	net/http	Uses the HTTP protocol	http

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 3, 2025

some-natalie added 2 commits June 6, 2025 16:39

Merge branch 'main' into dependabot/github_actions/github/codeql-acti…

f98262d

…on-3.28.19

Merge branch 'main' into dependabot/github_actions/github/codeql-acti…

7a09b10

…on-3.28.19

some-natalie merged commit af062b3 into main Jun 8, 2025
8 checks passed

some-natalie deleted the dependabot/github_actions/github/codeql-action-3.28.19 branch June 8, 2025 18:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump github/codeql-action from 3.28.18 to 3.28.19 #132

Bump github/codeql-action from 3.28.18 to 3.28.19 #132

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Bump github/codeql-action from 3.28.18 to 3.28.19 #132

Bump github/codeql-action from 3.28.18 to 3.28.19 #132

Uh oh!

Conversation

v3.28.19

CodeQL Action Changelog

3.28.19 - 03 Jun 2025

CodeQL Action Changelog

[UNRELEASED]

3.28.19 - 03 Jun 2025

3.28.18 - 16 May 2025

3.28.17 - 02 May 2025

3.28.16 - 23 Apr 2025

3.28.15 - 07 Apr 2025

3.28.14 - 07 Apr 2025

3.28.13 - 24 Mar 2025

3.28.12 - 19 Mar 2025

3.28.11 - 07 Mar 2025

Uh oh!

Uh oh!

Deleted: /tmp/prior-commit/actions-extractor/tools/autobuild.sh [🟡 MEDIUM]

Deleted: /tmp/prior-commit/node_modules/@octokit/webhooks/dist-src/middleware/web/on-unhandled-request-default.js [🔵 LOW]

Deleted: /tmp/prior-commit/actions-extractor/tools/autobuild.cmd [🟡 MEDIUM]

Added: /tmp/current-commit/node_modules/@octokit/webhooks/dist-src/middleware/create-middleware.js [🟡 MEDIUM]

Changed (20 added, 0 removed): /tmp/current-commit/node_modules/prettier/plugins/flow.js [🔵 → 🛑 HIGH]

20 new behaviors

Changed (0 added, 1 removed): /tmp/current-commit/node_modules/es-abstract/2024/ToUint8Clamp.js [🛑 HIGH → 🔵 LOW]

1 removed behavior

Moved: /tmp/prior-commit/node_modules/@octokit/webhooks/dist-types/middleware/node/middleware.d.ts -> /tmp/current-commit/node_modules/@octokit/webhooks/dist-types/middleware/create-middleware.d.ts (similarity: 0.92)

1 removed behavior

Uh oh!

Uh oh!

Uh oh!