Merge pull request #3115 from github/dependabot/npm_and_yarn/npm-75b7851ed5

Bump uuid from 12.0.0 to 13.0.0 in the npm group

.github/codeql/codeql-actions-config.yml

@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality

.github/codeql/codeql-config-javascript.yml

@@ -7,9 +7,9 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
+  - uses: security-and-quality
   - uses: security-experimental
   - uses: security-extended
-  - uses: security-and-quality
 paths-ignore:
-  - tests
   - lib
+  - tests

.github/workflows/__go-tracing-autobuilder.yml

@@ -63,6 +63,10 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -63,6 +63,10 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -63,6 +63,10 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__multi-language-autodetect.yml

@@ -63,6 +63,10 @@ jobs:
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
           - os: macos-latest
             version: default
           - os: ubuntu-latest

.github/workflows/codeql.yml

@@ -95,7 +95,7 @@ jobs:
       id: init
       with:
         languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
         tools: ${{ matrix.tools }}
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
@@ -107,13 +107,17 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
 
-
-  analyze-actions:
+  analyze-other:
     runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: python
 
     permissions:
       contents: read
@@ -125,32 +129,15 @@ jobs:
     - name: Initialize CodeQL
       uses: ./init
       with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
+        languages: ${{ matrix.language }}
+        build-mode: none
+        config: >
+          paths-ignore:
+            - lib
+            - tests
+          queries:
+            - uses: security-and-quality
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
-        category: "/language:actions"
-
-  analyze-python:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-      - name: Initialize CodeQL
-        uses: ./init
-        with:
-          languages: python
-          config-file: ./.github/codeql/codeql-actions-config.yml
-      - name: Perform CodeQL Analysis
-        uses: ./analyze
-        with:
-          category: "/language:python"
+        category: "/language:${{ matrix.language }}"

lib/analyze-action-post.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",

lib/analyze-action.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -91683,7 +91683,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -91692,7 +91692,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -91704,11 +91704,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();

lib/autobuild-action.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",

lib/init-action-post.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -129626,7 +129626,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -129635,7 +129635,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -129647,11 +129647,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();

lib/init-action.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -81687,7 +81687,7 @@ var core13 = __toESM(require_core());
 var io6 = __toESM(require_io());
 var semver8 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -81696,7 +81696,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -81708,11 +81708,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
@@ -90679,7 +90679,7 @@ exec ${goBinaryPath} "$@"`
       logger.debug(
         `${"CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */} is already set to '${process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]}', so the Action will not override it.`
       );
-    } else if (minimizeJavaJars && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
+    } else if (minimizeJavaJars && config.dependencyCachingEnabled && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
       core13.exportVariable(
         "CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */,
         "true"

lib/resolve-environment-action.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",

lib/start-proxy-action-post.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",

lib/start-proxy-action.js

@@ -45014,7 +45014,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",

lib/upload-lib.js

@@ -33632,7 +33632,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -89454,7 +89454,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -89463,7 +89463,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -89475,11 +89475,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();

lib/upload-sarif-action-post.js

@@ -26486,7 +26486,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",

lib/upload-sarif-action.js

@@ -32335,7 +32335,7 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^12.0.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
@@ -90155,7 +90155,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -90164,7 +90164,7 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/rng.js
+// node_modules/uuid/dist-node/rng.js
 var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
@@ -90176,11 +90176,11 @@ function rng() {
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/native.js
+// node_modules/uuid/dist-node/native.js
 var import_node_crypto2 = require("node:crypto");
 var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/v4.js
+// node_modules/uuid/dist-node/v4.js
 function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();

package-lock.json

@@ -34,7 +34,7 @@
         "node-forge": "^1.3.1",
         "octokit": "^5.0.3",
         "semver": "^7.7.2",
-        "uuid": "^12.0.0"
+        "uuid": "^13.0.0"
       },
       "devDependencies": {
         "@ava/typescript": "6.0.0",
@@ -9076,16 +9076,16 @@
       "license": "MIT"
     },
     "node_modules/uuid": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-12.0.0.tgz",
-      "integrity": "sha512-USe1zesMYh4fjCA8ZH5+X5WIVD0J4V1Jksm1bFTVBX2F/cwSXt0RO5w/3UXbdLKmZX65MiWV+hwhSS8p6oBTGA==",
+      "version": "13.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.0.tgz",
+      "integrity": "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
       ],
       "license": "MIT",
       "bin": {
-        "uuid": "dist/bin/uuid"
+        "uuid": "dist-node/bin/uuid"
       }
     },
     "node_modules/webidl-conversions": {

package.json

@@ -48,7 +48,7 @@
     "node-forge": "^1.3.1",
     "octokit": "^5.0.3",
     "semver": "^7.7.2",
-    "uuid": "^12.0.0"
+    "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",

pr-checks/sync.py

@@ -1,9 +1,8 @@
 #!/usr/bin/env python
 
 import ruamel.yaml
-from ruamel.yaml.scalarstring import FoldedScalarString, SingleQuotedScalarString
+from ruamel.yaml.scalarstring import SingleQuotedScalarString
 import pathlib
-import textwrap
 import os
 
 # The default set of CodeQL Bundle versions to use for the PR checks.
@@ -18,6 +17,8 @@ defaultTestVersions = [
     "stable-v2.20.7",
     # The last CodeQL release in the 2.21 series.
     "stable-v2.21.4",
+    # The last CodeQL release in the 2.22 series.
+    "stable-v2.22.4",
     # The default version of CodeQL for Dotcom, as determined by feature flags.
     "default",
     # The version of CodeQL shipped with the Action in `defaults.json`. During the release process

src/init-action.ts

@@ -608,13 +608,17 @@ async function run() {
 
     // If the feature flag to minimize Java dependency jars is enabled, and we are doing a Java
     // `build-mode: none` analysis (i.e. the flag is relevant), then set the environment variable
-    // that enables the corresponding option in the Java extractor.
+    // that enables the corresponding option in the Java extractor. We also only do this if
+    // dependency caching is enabled, since the option is intended to reduce the size of
+    // dependency caches, but the jar-rewriting does have a performance cost that we'd like to avoid
+    // when caching is not being used.
     if (process.env[EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS]) {
       logger.debug(
         `${EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS} is already set to '${process.env[EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS]}', so the Action will not override it.`,
       );
     } else if (
       minimizeJavaJars &&
+      config.dependencyCachingEnabled &&
       config.buildMode === BuildMode.None &&
       config.languages.includes(KnownLanguage.java)
     ) {