Move conversion of PR diff-range paths to absolute paths

Bump the npm-minor group with 4 updates

.github/workflows/script/bundle_changelog.py

@@ -0,0 +1,18 @@
+import os
+import re
+
+# Get the PR number from the PR URL.
+pr_number = os.environ['PR_URL'].split('/')[-1]
+changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+with open('CHANGELOG.md', 'r') as f:
+    changelog = f.read()
+
+changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+# Add the changelog note to the bottom of the "[UNRELEASED]" section.
+changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+with open('CHANGELOG.md', 'w') as f:
+    f.write(changelog)

.github/workflows/update-bundle.yml

@@ -40,6 +40,11 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
       - name: Set up Node.js
         uses: actions/setup-node@v6
         with:
@@ -78,28 +83,8 @@ jobs:
           echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
 
       - name: Create changelog note
-        shell: python
         run: |
-          import os
+          python .github/workflows/script/bundle_changelog.py
-          import re
-
-          # Get the PR number from the PR URL.
-          pr_number = os.environ['PR_URL'].split('/')[-1]
-          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-          # Use perl to avoid having to escape the newline character.
-
-          with open('CHANGELOG.md', 'r') as f:
-              changelog = f.read()
-
-          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
-          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-          with open('CHANGELOG.md', 'w') as f:
-              f.write(changelog)
 
       - name: Push changelog note
         run: |

CHANGELOG.md

@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-- Update default CodeQL bundle version to 2.23.4. [#3276](https://github.com/github/codeql-action/pull/3276)
+- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
 
 ## 4.31.2 - 30 Oct 2025
 

eslint.config.mjs

@@ -12,6 +12,7 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
+import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -52,6 +53,7 @@ export default [
       github: fixupPluginRules(github),
       import: fixupPluginRules(_import),
       "no-async-foreach": noAsyncForeach,
+      "jsdoc": jsdoc,
     },
 
     languageOptions: {
@@ -133,6 +135,16 @@ export default [
       "@typescript-eslint/no-shadow": "error",
       "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
+
+      // Check param names to ensure that we don't have outdated JSDocs.
+      "jsdoc/check-param-names": [
+        "error",
+        {
+          // We don't currently require full JSDoc coverage, so this rule
+          // should not error on missing @param annotations.
+          disableMissingParamChecks: true,
+        }
+      ],
     },
   },
   {

lib/analyze-action-post.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -119955,12 +119956,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/analyze-action.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -87413,14 +87414,14 @@ async function checkDiskUsage(logger) {
   }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
   !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
     if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
       semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
     )) {
       core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
       );
       core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
     }
@@ -88203,8 +88204,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var crypto = __toESM(require("crypto"));
@@ -88684,12 +88685,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -89187,14 +89182,13 @@ Error Response: ${JSON.stringify(error4.response, null, 2)}`
   }
 }
 function getDiffRanges(fileDiff, logger) {
-  const filename = path5.join(getRequiredInput("checkout_path"), fileDiff.filename).replaceAll(path5.sep, "/");
   if (fileDiff.patch === void 0) {
     if (fileDiff.changes === 0) {
       return [];
     }
     return [
       {
-        path: filename,
+        path: fileDiff.filename,
         startLine: 0,
         endLine: 0
       }
@@ -89218,7 +89212,7 @@ function getDiffRanges(fileDiff, logger) {
     }
     if (additionRangeStartLine !== void 0) {
       diffRanges.push({
-        path: filename,
+        path: fileDiff.filename,
         startLine: additionRangeStartLine,
         endLine: currentLine - 1
       });
@@ -91329,6 +91323,25 @@ async function setupDiffInformedQueryRun(branches, logger) {
     }
   );
 }
+function diffRangeExtensionPackContents(ranges) {
+  const header = `
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+`;
+  let data = ranges.map((range) => {
+    const filename = path12.join(getRequiredInput("checkout_path"), range.path).replaceAll(path12.sep, "/");
+    return `      - [${dump(filename, { forceQuotes: true }).trim()}, ${range.startLine}, ${range.endLine}]
+`;
+  }).join("");
+  if (!data) {
+    data = '      - ["", 0, 0]\n';
+  }
+  return header + data;
+}
 function writeDiffRangeDataExtensionPack(logger, ranges) {
   if (ranges === void 0) {
     return void 0;
@@ -91350,27 +91363,7 @@ dataExtensions:
   - pr-diff-range.yml
 `
   );
-  const header = `
+  const extensionContents = diffRangeExtensionPackContents(ranges);
-extensions:
-  - addsTo:
-      pack: codeql/util
-      extensible: restrictAlertsTo
-      checkPresence: false
-    data:
-`;
-  let data = ranges.map(
-    (range) => (
-      // Using yaml.dump() with `forceQuotes: true` ensures that all special
-      // characters are escaped, and that the path is always rendered as a
-      // quoted string on a single line.
-      `      - [${dump(range.path, { forceQuotes: true }).trim()}, ${range.startLine}, ${range.endLine}]
-`
-    )
-  ).join("");
-  if (!data) {
-    data = '      - ["", 0, 0]\n';
-  }
-  const extensionContents = header + data;
   const extensionFilePath = path12.join(diffRangeDir, "pr-diff-range.yml");
   fs12.writeFileSync(extensionFilePath, extensionContents);
   logger.debug(
@@ -93653,7 +93646,6 @@ function filterAlertsByDiffRange(logger, sarif) {
   if (!diffRanges?.length) {
     return sarif;
   }
-  const checkoutPath = getRequiredInput("checkout_path");
   for (const run2 of sarif.runs) {
     if (run2.results) {
       run2.results = run2.results.filter((result) => {
@@ -93667,9 +93659,8 @@ function filterAlertsByDiffRange(logger, sarif) {
           if (!locationUri || locationStartLine === void 0) {
             return false;
           }
-          const locationPath = path14.join(checkoutPath, locationUri).replaceAll(path14.sep, "/");
           return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
           );
         });
       });

lib/autobuild-action.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -83157,14 +83158,14 @@ async function checkDiskUsage(logger) {
   }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
   !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
     if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
       semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
     )) {
       core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
       );
       core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
     }
@@ -83699,8 +83700,8 @@ var path3 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -84004,12 +84005,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.4",
+  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.4",
+  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.3"
+  "priorCliVersion": "2.23.2"
 }

lib/init-action-post.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -90451,8 +90452,8 @@ var require_primordials = __commonJS({
       ArrayPrototypeIndexOf(self2, el) {
         return self2.indexOf(el);
       },
-      ArrayPrototypeJoin(self2, sep4) {
+      ArrayPrototypeJoin(self2, sep3) {
-        return self2.join(sep4);
+        return self2.join(sep3);
       },
       ArrayPrototypeMap(self2, fn) {
         return self2.map(fn);
@@ -102339,7 +102340,7 @@ var require_commonjs16 = __commonJS({
        *
        * @internal
        */
-      constructor(cwd = process.cwd(), pathImpl, sep4, { nocase, childrenCacheSize = 16 * 1024, fs: fs17 = defaultFS } = {}) {
+      constructor(cwd = process.cwd(), pathImpl, sep3, { nocase, childrenCacheSize = 16 * 1024, fs: fs17 = defaultFS } = {}) {
         this.#fs = fsFromOption(fs17);
         if (cwd instanceof URL || cwd.startsWith("file://")) {
           cwd = (0, node_url_1.fileURLToPath)(cwd);
@@ -102350,7 +102351,7 @@ var require_commonjs16 = __commonJS({
         this.#resolveCache = new ResolveCache();
         this.#resolvePosixCache = new ResolveCache();
         this.#children = new ChildrenCache(childrenCacheSize);
-        const split = cwdPath.substring(this.rootPath.length).split(sep4);
+        const split = cwdPath.substring(this.rootPath.length).split(sep3);
         if (split.length === 1 && !split[0]) {
           split.pop();
         }
@@ -122973,8 +122974,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
@@ -123336,12 +123337,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -127565,7 +127560,6 @@ function filterAlertsByDiffRange(logger, sarif) {
   if (!diffRanges?.length) {
     return sarif;
   }
-  const checkoutPath = getRequiredInput("checkout_path");
   for (const run2 of sarif.runs) {
     if (run2.results) {
       run2.results = run2.results.filter((result) => {
@@ -127579,9 +127573,8 @@ function filterAlertsByDiffRange(logger, sarif) {
           if (!locationUri || locationStartLine === void 0) {
             return false;
           }
-          const locationPath = path13.join(checkoutPath, locationUri).replaceAll(path13.sep, "/");
           return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
           );
         });
       });

lib/init-action.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -84734,14 +84735,14 @@ async function checkDiskUsage(logger) {
   }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
   !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
     if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
       semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
     )) {
       core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
       );
       core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
     }
@@ -85627,8 +85628,8 @@ var path5 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var crypto = __toESM(require("crypto"));
@@ -86098,12 +86099,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -86649,10 +86644,9 @@ async function cachePrefix(codeql, language) {
 }
 
 // src/config-utils.ts
-async function getSupportedLanguageMap(codeql, features, logger) {
+async function getSupportedLanguageMap(codeql, logger) {
-  const resolveSupportedLanguagesUsingCli = await features.getValue(
+  const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
-    "resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */,
+    "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-    codeql
   );
   const resolveResult = await codeql.betterResolveLanguages({
     filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli
@@ -86700,14 +86694,14 @@ async function getRawLanguagesInRepo(repository, sourceRoot, logger) {
   logger.debug(`Raw languages in repository: ${result.join(", ")}`);
   return result;
 }
-async function getLanguages(codeql, languagesInput, repository, sourceRoot, features, logger) {
+async function getLanguages(codeql, languagesInput, repository, sourceRoot, logger) {
   const { rawLanguages, autodetected } = await getRawLanguages(
     languagesInput,
     repository,
     sourceRoot,
     logger
   );
-  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
+  const languageMap = await getSupportedLanguageMap(codeql, logger);
   const languagesSet = /* @__PURE__ */ new Set();
   const unknownLanguages = [];
   for (const language of rawLanguages) {
@@ -86773,7 +86767,6 @@ async function initActionState({
     languagesInput,
     repository,
     sourceRoot,
-    features,
     logger
   );
   const buildMode = await parseBuildModeInput(

lib/resolve-environment-action.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -83169,14 +83170,14 @@ async function checkDiskUsage(logger) {
   }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
   !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
     if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
       semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
     )) {
       core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
       );
       core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
     }
@@ -83995,12 +83996,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/setup-codeql-action.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -83245,14 +83246,14 @@ async function checkDiskUsage(logger) {
   }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
   !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
     if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
       semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
     )) {
       core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
       );
       core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
     }
@@ -83587,8 +83588,8 @@ var path4 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
@@ -83904,12 +83905,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/start-proxy-action-post.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -119361,12 +119362,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/start-proxy-action.js

@@ -47338,7 +47338,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -47348,15 +47348,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -99682,8 +99683,8 @@ function getActionsLogger() {
 var core7 = __toESM(require_core());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/languages.ts
 var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => {
@@ -100023,12 +100024,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/upload-lib.js

@@ -28977,7 +28977,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -28987,15 +28987,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -83219,6 +83220,7 @@ var upload_lib_exports = {};
 __export(upload_lib_exports, {
   InvalidSarifUploadError: () => InvalidSarifUploadError,
   buildPayload: () => buildPayload,
+  filterAlertsByDiffRange: () => filterAlertsByDiffRange,
   findSarifFilesInDir: () => findSarifFilesInDir,
   getGroupedSarifFilePaths: () => getGroupedSarifFilePaths,
   getSarifFilePaths: () => getSarifFilePaths,
@@ -86723,8 +86725,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
@@ -87061,12 +87063,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -90620,7 +90616,6 @@ function filterAlertsByDiffRange(logger, sarif) {
   if (!diffRanges?.length) {
     return sarif;
   }
-  const checkoutPath = getRequiredInput("checkout_path");
   for (const run of sarif.runs) {
     if (run.results) {
       run.results = run.results.filter((result) => {
@@ -90634,9 +90629,8 @@ function filterAlertsByDiffRange(logger, sarif) {
           if (!locationUri || locationStartLine === void 0) {
             return false;
           }
-          const locationPath = path10.join(checkoutPath, locationUri).replaceAll(path10.sep, "/");
           return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
           );
         });
       });
@@ -90648,6 +90642,7 @@ function filterAlertsByDiffRange(logger, sarif) {
 0 && (module.exports = {
   InvalidSarifUploadError,
   buildPayload,
+  filterAlertsByDiffRange,
   findSarifFilesInDir,
   getGroupedSarifFilePaths,
   getSarifFilePaths,

lib/upload-sarif-action-post.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -119527,12 +119528,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

lib/upload-sarif-action.js

@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.1",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
         "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         glob: "^11.0.3",
         nock: "^14.0.10",
@@ -86065,14 +86066,14 @@ async function checkDiskUsage(logger) {
   }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
   !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
     if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
       semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
     )) {
       core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
       );
       core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
     }
@@ -86503,8 +86504,8 @@ var path4 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.4";
+var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.4";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
@@ -86854,12 +86855,6 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -91090,7 +91085,6 @@ function filterAlertsByDiffRange(logger, sarif) {
   if (!diffRanges?.length) {
     return sarif;
   }
-  const checkoutPath = getRequiredInput("checkout_path");
   for (const run2 of sarif.runs) {
     if (run2.results) {
       run2.results = run2.results.filter((result) => {
@@ -91104,9 +91098,8 @@ function filterAlertsByDiffRange(logger, sarif) {
           if (!locationUri || locationStartLine === void 0) {
             return false;
           }
-          const locationPath = path11.join(checkoutPath, locationUri).replaceAll(path11.sep, "/");
           return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
           );
         });
       });

package.json

@@ -53,7 +53,7 @@
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.4.1",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.0",
+    "@eslint/js": "^9.39.1",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
     "@types/archiver": "^7.0.0",
@@ -63,15 +63,16 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.3",
+    "@typescript-eslint/eslint-plugin": "^8.46.4",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.25.12",
+    "esbuild": "^0.27.0",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
+    "eslint-plugin-jsdoc": "^61.1.12",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.0.3",
     "nock": "^14.0.10",

src/analyze.test.ts

@@ -4,12 +4,14 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";
 
+import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
   runQueries,
   defaultSuites,
   resolveQuerySuiteAlias,
   addSarifExtension,
+  diffRangeExtensionPackContents,
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
@@ -158,3 +160,23 @@ test("addSarifExtension", (t) => {
     );
   }
 });
+
+test("diffRangeExtensionPackContents", (t) => {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  const output = diffRangeExtensionPackContents([
+    {
+      path: "main.js",
+      startLine: 10,
+      endLine: 20,
+    },
+  ]);
+
+  const expected = fs.readFileSync(
+    `${__dirname}/../src/testdata/pr-diff-range.yml`,
+    "utf8",
+  );
+  t.deepEqual(output, expected);
+});

src/analyze.ts

@@ -5,7 +5,11 @@ import { performance } from "perf_hooks";
 import * as io from "@actions/io";
 import * as yaml from "js-yaml";
 
-import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
+import {
+  getTemporaryDirectory,
+  getRequiredInput,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
@@ -38,89 +42,26 @@ export class CodeQLAnalysisError extends Error {
   }
 }
 
-export interface QueriesStatusReport {
+type KnownLanguageKey = keyof typeof KnownLanguage;
-  /**
-   * Time taken in ms to run queries for actions (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_actions_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for cpp (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_cpp_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for csharp (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_csharp_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for go (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_go_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for java (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_java_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for javascript (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_javascript_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for python (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_python_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for ruby (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_ruby_duration_ms?: number;
-  /** Time taken in ms to run queries for swift (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_swift_duration_ms?: number;
 
-  /** Time taken in ms to interpret results for actions (or undefined if this language was not analyzed). */
+type RunQueriesDurationStatusReport = {
-  interpret_results_actions_duration_ms?: number;
+  /**
-  /** Time taken in ms to interpret results for cpp (or undefined if this language was not analyzed). */
+   * Time taken in ms to run queries for the language (or undefined if this language was not analyzed).
-  interpret_results_cpp_duration_ms?: number;
+   *
-  /** Time taken in ms to interpret results for csharp (or undefined if this language was not analyzed). */
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-  interpret_results_csharp_duration_ms?: number;
+   * taken to run _all_ the queries.
-  /** Time taken in ms to interpret results for go (or undefined if this language was not analyzed). */
+   */
-  interpret_results_go_duration_ms?: number;
+  [L in KnownLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
-  /** Time taken in ms to interpret results for java (or undefined if this language was not analyzed). */
+};
-  interpret_results_java_duration_ms?: number;
-  /** Time taken in ms to interpret results for javascript (or undefined if this language was not analyzed). */
-  interpret_results_javascript_duration_ms?: number;
-  /** Time taken in ms to interpret results for python (or undefined if this language was not analyzed). */
-  interpret_results_python_duration_ms?: number;
-  /** Time taken in ms to interpret results for ruby (or undefined if this language was not analyzed). */
-  interpret_results_ruby_duration_ms?: number;
-  /** Time taken in ms to interpret results for swift (or undefined if this language was not analyzed). */
-  interpret_results_swift_duration_ms?: number;
 
+type InterpretResultsDurationStatusReport = {
+  /** Time taken in ms to interpret results for the language (or undefined if this language was not analyzed). */
+  [L in KnownLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
+};
+
+export interface QueriesStatusReport
+  extends RunQueriesDurationStatusReport,
+    InterpretResultsDurationStatusReport {
   /**
    * Whether the analysis is diff-informed (in the sense that the action generates a diff-range data
    * extension for the analysis, regardless of whether the data extension is actually used by queries).
@@ -307,6 +248,45 @@ export async function setupDiffInformedQueryRun(
   );
 }
 
+export function diffRangeExtensionPackContents(
+  ranges: DiffThunkRange[],
+): string {
+  const header = `
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+`;
+
+  let data = ranges
+    .map((range) => {
+      // Diff-informed queries expect the file path to be absolute. CodeQL always
+      // uses forward slashes as the path separator, so on Windows we need to
+      // replace any backslashes with forward slashes.
+      const filename = path
+        .join(getRequiredInput("checkout_path"), range.path)
+        .replaceAll(path.sep, "/");
+
+      // Using yaml.dump() with `forceQuotes: true` ensures that all special
+      // characters are escaped, and that the path is always rendered as a
+      // quoted string on a single line.
+      return (
+        `      - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
+        `${range.startLine}, ${range.endLine}]\n`
+      );
+    })
+    .join("");
+  if (!data) {
+    // Ensure that the data extension is not empty, so that a pull request with
+    // no edited lines would exclude (instead of accepting) all alerts.
+    data = '      - ["", 0, 0]\n';
+  }
+
+  return header + data;
+}
+
 /**
  * Create an extension pack in the temporary directory that contains the file
  * line ranges that were added or modified in the pull request.
@@ -355,32 +335,7 @@ dataExtensions:
 `,
   );
 
-  const header = `
+  const extensionContents = diffRangeExtensionPackContents(ranges);
-extensions:
-  - addsTo:
-      pack: codeql/util
-      extensible: restrictAlertsTo
-      checkPresence: false
-    data:
-`;
-
-  let data = ranges
-    .map(
-      (range) =>
-        // Using yaml.dump() with `forceQuotes: true` ensures that all special
-        // characters are escaped, and that the path is always rendered as a
-        // quoted string on a single line.
-        `      - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
-        `${range.startLine}, ${range.endLine}]\n`,
-    )
-    .join("");
-  if (!data) {
-    // Ensure that the data extension is not empty, so that a pull request with
-    // no edited lines would exclude (instead of accepting) all alerts.
-    data = '      - ["", 0, 0]\n';
-  }
-
-  const extensionContents = header + data;
   const extensionFilePath = path.join(diffRangeDir, "pr-diff-range.yml");
   fs.writeFileSync(extensionFilePath, extensionContents);
   logger.debug(

src/codeql.ts

@@ -1071,8 +1071,11 @@ export async function getCodeQLForCmd(
 /**
  * Gets the options for `path` of `options` as an array of extra option strings.
  *
- * @param ignoringOptions Options that should be ignored, for example because they have already
+ * @param paths The CLI command components to get extra options for.
- *                        been passed and it is an error to pass them more than once.
+ * @param args Additional arguments for this function.
+ * @param args.ignoringOptions
+ *   Options that should be ignored, for example because they have already
+ *   been passed and it is an error to pass them more than once.
  */
 function getExtraOptionsFromEnv(
   paths: string[],
@@ -1154,8 +1157,9 @@ async function runCli(
 /**
  * Writes the code scanning configuration that is to be used by the CLI.
  *
- * @param codeql The CodeQL object to use.
+ * @param config The CodeQL Action state to write.
- * @param config The CodeQL Action state to use.
+ * @param logger The logger to use.
+ *
  * @returns The path to the generated user configuration file.
  */
 async function writeCodeScanningConfigFile(

src/config-utils.test.ts

@@ -873,71 +873,62 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
     expectedLanguages: ["javascript"],
   },
 ].forEach((args) => {
-  for (const resolveSupportedLanguagesUsingCli of [true, false]) {
+  test(`getLanguages: ${args.name}`, async (t) => {
-    test(`getLanguages${resolveSupportedLanguagesUsingCli ? " (supported languages via CLI)" : ""}: ${args.name}`, async (t) => {
+    const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
-      const features = createFeatures(
+    const stubExtractorEntry = {
-        resolveSupportedLanguagesUsingCli
+      extractor_root: "",
-          ? [Feature.ResolveSupportedLanguagesUsingCli]
+    };
-          : [],
+    const codeQL = createStubCodeQL({
-      );
+      betterResolveLanguages: (options) =>
-      const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
+        Promise.resolve({
-      const stubExtractorEntry = {
+          aliases: {
-        extractor_root: "",
+            "c#": KnownLanguage.csharp,
-      };
+            c: KnownLanguage.cpp,
-      const codeQL = createStubCodeQL({
+            kotlin: KnownLanguage.java,
-        betterResolveLanguages: (options) =>
+            typescript: KnownLanguage.javascript,
-          Promise.resolve({
+          },
-            aliases: {
+          extractors: {
-              "c#": KnownLanguage.csharp,
+            cpp: [stubExtractorEntry],
-              c: KnownLanguage.cpp,
+            csharp: [stubExtractorEntry],
-              kotlin: KnownLanguage.java,
+            java: [stubExtractorEntry],
-              typescript: KnownLanguage.javascript,
+            javascript: [stubExtractorEntry],
-            },
+            python: [stubExtractorEntry],
-            extractors: {
+            ...(options?.filterToLanguagesWithQueries
-              cpp: [stubExtractorEntry],
+              ? {}
-              csharp: [stubExtractorEntry],
+              : {
-              java: [stubExtractorEntry],
+                  html: [stubExtractorEntry],
-              javascript: [stubExtractorEntry],
+                }),
-              python: [stubExtractorEntry],
+          },
-              ...(options?.filterToLanguagesWithQueries
+        }),
-                ? {}
-                : {
-                    html: [stubExtractorEntry],
-                  }),
-            },
-          }),
-      });
-
-      if (args.expectedLanguages) {
-        // happy path
-        const actualLanguages = await configUtils.getLanguages(
-          codeQL,
-          args.languagesInput,
-          mockRepositoryNwo,
-          ".",
-          features,
-          mockLogger,
-        );
-
-        t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
-      } else {
-        // there is an error
-        await t.throwsAsync(
-          async () =>
-            await configUtils.getLanguages(
-              codeQL,
-              args.languagesInput,
-              mockRepositoryNwo,
-              ".",
-              features,
-              mockLogger,
-            ),
-          { message: args.expectedError },
-        );
-      }
-      t.deepEqual(mockRequest.called, args.expectedApiCall);
     });
-  }
+
+    if (args.expectedLanguages) {
+      // happy path
+      const actualLanguages = await configUtils.getLanguages(
+        codeQL,
+        args.languagesInput,
+        mockRepositoryNwo,
+        ".",
+        mockLogger,
+      );
+
+      t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
+    } else {
+      // there is an error
+      await t.throwsAsync(
+        async () =>
+          await configUtils.getLanguages(
+            codeQL,
+            args.languagesInput,
+            mockRepositoryNwo,
+            ".",
+            mockLogger,
+          ),
+        { message: args.expectedError },
+      );
+    }
+    t.deepEqual(mockRequest.called, args.expectedApiCall);
+  });
 });
 
 for (const { displayName, language, feature } of [

src/config-utils.ts

@@ -34,6 +34,7 @@ import {
   OverlayDatabaseMode,
 } from "./overlay-database-utils";
 import { RepositoryNwo } from "./repository";
+import { ToolsFeature } from "./tools-features";
 import { downloadTrapCaches } from "./trap-caching";
 import {
   GitHubVersion,
@@ -177,12 +178,10 @@ export interface Config {
 
 export async function getSupportedLanguageMap(
   codeql: CodeQL,
-  features: FeatureEnablement,
   logger: Logger,
 ): Promise<Record<string, string>> {
-  const resolveSupportedLanguagesUsingCli = await features.getValue(
+  const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
-    Feature.ResolveSupportedLanguagesUsingCli,
+    ToolsFeature.BuiltinExtractorsSpecifyDefaultQueries,
-    codeql,
   );
   const resolveResult = await codeql.betterResolveLanguages({
     filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli,
@@ -283,7 +282,6 @@ export async function getLanguages(
   languagesInput: string | undefined,
   repository: RepositoryNwo,
   sourceRoot: string,
-  features: FeatureEnablement,
   logger: Logger,
 ): Promise<Language[]> {
   // Obtain languages without filtering them.
@@ -294,7 +292,7 @@ export async function getLanguages(
     logger,
   );
 
-  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
+  const languageMap = await getSupportedLanguageMap(codeql, logger);
   const languagesSet = new Set<Language>();
   const unknownLanguages: string[] = [];
 
@@ -431,7 +429,6 @@ export async function initActionState(
     languagesInput,
     repository,
     sourceRoot,
-    features,
     logger,
   );
 
@@ -1036,7 +1033,6 @@ export async function getConfig(
  * pack.
  *
  * @param registriesInput The value of the `registries` input.
- * @param codeQL a codeQL object, used only for checking the version of CodeQL.
  * @param tempDir a temporary directory to store the generated qlconfig.yml file.
  * @param logger a logger object.
  * @returns The path to the generated `qlconfig.yml` file and the auth tokens to

src/config/db-config.ts

@@ -160,7 +160,6 @@ const PACK_IDENTIFIER_PATTERN = (function () {
  * Version and path are optional.
  *
  * @param packStr the package specification to verify.
- * @param configFile Config file to use for error reporting
  */
 export function parsePacksSpecification(packStr: string): Pack {
   if (typeof packStr !== "string") {

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.4",
+  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.4",
+  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.3"
+  "priorCliVersion": "2.23.2"
 }

src/diff-informed-analysis-utils.test.ts

@@ -188,10 +188,6 @@ test(
 );
 
 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
-  sinon
-    .stub(actionsUtil, "getRequiredInput")
-    .withArgs("checkout_path")
-    .returns("/checkout/path");
   return exportedForTesting.getDiffRanges(
     {
       filename: "test.txt",
@@ -211,7 +207,7 @@ test("getDiffRanges: file diff too large", async (t) => {
   const diffRanges = runGetDiffRanges(1000000, undefined);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 0,
       endLine: 0,
     },
@@ -232,7 +228,7 @@ test("getDiffRanges: diff thunk with single addition range", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 54,
     },
@@ -268,7 +264,7 @@ test("getDiffRanges: diff thunk with single update range", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 53,
     },
@@ -290,12 +286,12 @@ test("getDiffRanges: diff thunk with addition ranges", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 53,
     },
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 55,
       endLine: 55,
     },
@@ -322,12 +318,12 @@ test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 54,
       endLine: 54,
     },
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 57,
       endLine: 58,
     },
@@ -357,12 +353,12 @@ test("getDiffRanges: multiple diff thunks", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 53,
       endLine: 54,
     },
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 153,
       endLine: 154,
     },
@@ -373,7 +369,7 @@ test("getDiffRanges: no diff context lines", async (t) => {
   const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
   t.deepEqual(diffRanges, [
     {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
       startLine: 50,
       endLine: 51,
     },

src/diff-informed-analysis-utils.ts

@@ -191,13 +191,6 @@ function getDiffRanges(
   fileDiff: FileDiff,
   logger: Logger,
 ): DiffThunkRange[] | undefined {
-  // Diff-informed queries expect the file path to be absolute. CodeQL always
-  // uses forward slashes as the path separator, so on Windows we need to
-  // replace any backslashes with forward slashes.
-  const filename = path
-    .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
-    .replaceAll(path.sep, "/");
-
   if (fileDiff.patch === undefined) {
     if (fileDiff.changes === 0) {
       // There are situations where a changed file legitimately has no diff.
@@ -212,7 +205,7 @@ function getDiffRanges(
     // to a special diff range that covers the entire file.
     return [
       {
-        path: filename,
+        path: fileDiff.filename,
         startLine: 0,
         endLine: 0,
       },
@@ -247,7 +240,7 @@ function getDiffRanges(
       // Any line that does not start with a "+" or "-" terminates the current
       // range of added lines.
       diffRanges.push({
-        path: filename,
+        path: fileDiff.filename,
         startLine: additionRangeStartLine,
         endLine: currentLine - 1,
       });

src/feature-flags.ts

@@ -76,7 +76,6 @@ export enum Feature {
   OverlayAnalysisSwift = "overlay_analysis_swift",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
   QaTelemetryEnabled = "qa_telemetry_enabled",
-  ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
   UseRepositoryProperties = "use_repository_properties",
   ValidateDbConfig = "validate_db_config",
 }
@@ -161,12 +160,6 @@ export const featureConfig: Record<
     legacyApi: true,
     minimumVersion: undefined,
   },
-  [Feature.ResolveSupportedLanguagesUsingCli]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: undefined,
-    toolsFeature: ToolsFeature.BuiltinExtractorsSpecifyDefaultQueries,
-  },
   [Feature.OverlayAnalysis]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

src/status-report.ts

@@ -252,7 +252,7 @@ export interface EventReport {
  *
  * @param actionName The name of the action, e.g. 'init', 'finish', 'upload-sarif'
  * @param status The status. Must be 'success', 'failure', or 'starting'
- * @param startedAt The time this action started executing.
+ * @param actionStartedAt The time this action started executing.
  * @param cause  Cause of failure (only supply if status is 'failure')
  * @param exception Exception (only supply if status is 'failure')
  * @returns undefined if an exception was thrown.

src/testdata/pr-diff-range.yml

@@ -0,0 +1,8 @@
+
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+      - ['/checkout/path/main.js', 10, 20]

src/testdata/valid-sarif-diff-filtered.sarif

@@ -0,0 +1,178 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [{
+      "tool": {
+        "driver": {
+          "name": "LGTM.com",
+          "organization": "Semmle",
+          "version": "1.24.0-SNAPSHOT",
+          "rules": [{
+            "id": "js/unused-local-variable",
+            "name": "js/unused-local-variable",
+            "shortDescription": {
+              "text": "Unused variable, import, function or class"
+            },
+            "fullDescription": {
+              "text": "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
+            },
+            "defaultConfiguration": {
+              "level": "note"
+            },
+            "properties": {
+              "tags": ["maintainability"],
+              "kind": "problem",
+              "precision": "very-high",
+              "name": "Unused variable, import, function or class",
+              "description": "Unused variables, imports, functions or classes may be a symptom of a bug\n              and should be examined carefully.",
+              "id": "js/unused-local-variable",
+              "problem.severity": "recommendation"
+            }
+          }]
+        }
+      },
+      "results": [{
+        "ruleId": "js/unused-local-variable",
+        "ruleIndex": 0,
+        "message": {
+          "text": "Unused variable foo."
+        },
+        "locations": [{
+          "physicalLocation": {
+            "artifactLocation": {
+              "uri": "main.js",
+              "uriBaseId": "%SRCROOT%",
+              "index": 0
+            },
+            "region": {
+              "startLine": 2,
+              "startColumn": 7,
+              "endColumn": 10
+            }
+          }
+        }],
+        "partialFingerprints": {
+          "primaryLocationLineHash": "39fa2ee980eb94b0:1",
+          "primaryLocationStartColumnFingerprint": "4"
+        }
+      }],
+      "columnKind": "utf16CodeUnits",
+      "properties": {
+        "semmle.formatSpecifier": "2.1.0",
+        "semmle.sourceLanguage": "java"
+      }
+    },
+    {
+      "tool" : {
+        "driver" : {
+          "name" : "CodeQL command-line toolchain",
+          "organization" : "GitHub",
+          "semanticVersion" : "2.0.0",
+          "rules" : [ {
+            "id" : "js/unused-local-variable",
+            "name" : "js/unused-local-variable",
+            "shortDescription" : {
+              "text" : "Unused variable, import, function or class"
+            },
+            "fullDescription" : {
+              "text" : "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
+            },
+            "defaultConfiguration" : {
+              "level": "note"
+            },
+            "properties" : {
+              "tags" : [ "maintainability" ],
+              "kind" : "problem",
+              "precision" : "very-high",
+              "name" : "Unused variable, import, function or class",
+              "description" : "Unused variables, imports, functions or classes may be a symptom of a bug\n              and should be examined carefully.",
+              "id" : "js/unused-local-variable",
+              "problem.severity" : "recommendation"
+            }
+          },
+          {
+            "id": "js/inconsistent-use-of-new",
+            "name": "js/inconsistent-use-of-new",
+            "shortDescription": {
+              "text": "Inconsistent use of 'new'"
+            },
+            "fullDescription": {
+              "text": "If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'."
+            },
+            "defaultConfiguration": {
+              "level": "note"
+            },
+            "properties": {
+              "tags": [
+                "reliability",
+                "correctness",
+                "language-features"
+              ],
+              "kind": "problem",
+              "precision": "very-high",
+              "problem.severity": "warning"
+            }
+          } ]
+        }
+      },
+      "artifacts" : [ {
+        "location" : {
+          "uri" : "main.js",
+          "uriBaseId" : "%SRCROOT%",
+          "index" : 0
+        }
+      },
+      {
+        "location": {
+          "uri": "src/promiseUtils.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 1
+        }
+      },
+      {
+        "location": {
+          "uri": "src/LiveQueryClient.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 2
+        }
+      },
+      {
+        "location": {
+          "uri": "src/ParseObject.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 3
+        }
+      } ],
+      "results" : [ {
+        "ruleId" : "js/unused-local-variable",
+        "ruleIndex" : 0,
+        "message" : {
+          "text" : "Unused variable foo."
+        },
+        "locations" : [ {
+          "physicalLocation" : {
+            "artifactLocation" : {
+              "uri" : "main.js",
+              "uriBaseId" : "%SRCROOT%",
+              "index" : 0
+            },
+            "region" : {
+              "startLine" : 2,
+              "startColumn" : 7,
+              "endColumn" : 10
+            }
+          }
+        } ],
+        "partialFingerprints" : {
+          "primaryLocationLineHash" : "39fa2ee980eb94b0:1",
+          "primaryLocationStartColumnFingerprint" : "4"
+        }
+      }],
+      "newlineSequences" : [ "\r\n", "\n", "
", "
" ],
+      "columnKind" : "utf16CodeUnits",
+      "properties" : {
+        "semmle.formatSpecifier" : "sarif-latest"
+      }
+    }
+  ]
+}

src/upload-lib.test.ts

@@ -9,10 +9,16 @@ import * as sinon from "sinon";
 import * as analyses from "./analyses";
 import { AnalysisKind, CodeQuality, CodeScanning } from "./analyses";
 import * as api from "./api-client";
+import * as diffUtils from "./diff-informed-analysis-utils";
 import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
-import { GitHubVariant, initializeEnvironment, withTmpDir } from "./util";
+import {
+  GitHubVariant,
+  initializeEnvironment,
+  SarifFile,
+  withTmpDir,
+} from "./util";
 
 setupTests(test);
 
@@ -960,3 +966,30 @@ for (const analysis of [CodeScanning, CodeQuality]) {
     });
   });
 }
+
+function runFilterAlertsByDiffRange(
+  input: SarifFile,
+  diffRanges: diffUtils.DiffThunkRange[],
+): SarifFile {
+  sinon.stub(diffUtils, "readDiffRangesJsonFile").returns(diffRanges);
+  return uploadLib.filterAlertsByDiffRange(getRunnerLogger(true), input);
+}
+
+test("filterAlertsByDiffRange filters out alerts outside diff-range", (t) => {
+  const input = uploadLib.readSarifFile(
+    `${__dirname}/../src/testdata/valid-sarif.sarif`,
+  );
+  const actualOutput = runFilterAlertsByDiffRange(input, [
+    {
+      path: "main.js",
+      startLine: 1,
+      endLine: 3,
+    },
+  ]);
+
+  const expectedOutput = uploadLib.readSarifFile(
+    `${__dirname}/../src/testdata/valid-sarif-diff-filtered.sarif`,
+  );
+
+  t.deepEqual(actualOutput, expectedOutput);
+});

src/upload-lib.ts

@@ -738,7 +738,7 @@ export async function postProcessSarifFiles(
  * @param logger The logger to use.
  * @param pathInput The input provided for `post-processed-sarif-path`.
  * @param uploadTarget The upload target.
- * @param processingResults The results of post-processing SARIF files.
+ * @param postProcessingResults The results of post-processing SARIF files.
  */
 export async function writePostProcessedFiles(
   logger: Logger,
@@ -1134,14 +1134,15 @@ export class InvalidSarifUploadError extends Error {
   }
 }
 
-function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
+export function filterAlertsByDiffRange(
+  logger: Logger,
+  sarif: SarifFile,
+): SarifFile {
   const diffRanges = readDiffRangesJsonFile(logger);
   if (!diffRanges?.length) {
     return sarif;
   }
 
-  const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-
   for (const run of sarif.runs) {
     if (run.results) {
       run.results = run.results.filter((result) => {
@@ -1156,11 +1157,6 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
           if (!locationUri || locationStartLine === undefined) {
             return false;
           }
-          // CodeQL always uses forward slashes as the path separator, so on Windows we
-          // need to replace any backslashes with forward slashes.
-          const locationPath = path
-            .join(checkoutPath, locationUri)
-            .replaceAll(path.sep, "/");
           // Alert filtering here replicates the same behavior as the restrictAlertsTo
           // extensible predicate in CodeQL. See the restrictAlertsTo documentation
           // https://codeql.github.com/codeql-standard-libraries/csharp/codeql/util/AlertFiltering.qll/predicate.AlertFiltering$restrictAlertsTo.3.html
@@ -1168,7 +1164,7 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
           // of an alert location.
           return diffRanges.some(
             (range) =>
-              range.path === locationPath &&
+              range.path === locationUri &&
               ((range.startLine <= locationStartLine &&
                 range.endLine >= locationStartLine) ||
                 (range.startLine === 0 && range.endLine === 0)),

src/util.test.ts

@@ -447,13 +447,21 @@ const CHECK_ACTION_VERSION_TESTS: Array<[string, util.GitHubVersion, boolean]> =
     ["2.2.1", { type: util.GitHubVariant.DOTCOM }, true],
     ["2.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, true],
     ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.10" }, false],
-    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, true],
+    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, false],
-    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, true],
+    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, false],
-    ["3.2.1", { type: util.GitHubVariant.DOTCOM }, false],
+    ["3.2.1", { type: util.GitHubVariant.DOTCOM }, true],
-    ["3.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, false],
+    ["3.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, true],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.10" }, false],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, false],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, false],
+    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.19" }, false],
+    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.20" }, true],
+    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.21" }, true],
+    ["4.2.1", { type: util.GitHubVariant.DOTCOM }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.19" }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.20" }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.21" }, false],
   ];
 
 for (const [
@@ -480,9 +488,7 @@ for (const [
     if (shouldReportError) {
       t.true(
         warningSpy.calledOnceWithExactly(
-          sinon.match(
+          sinon.match("CodeQL Action v3 will be deprecated in December 2026."),
-            "CodeQL Action major versions v1 and v2 have been deprecated.",
-          ),
         ),
       );
     } else {

src/util.ts

@@ -1114,38 +1114,38 @@ export async function checkDiskUsage(
 }
 
 /**
- * Prompt the customer to upgrade to CodeQL Action v3, if appropriate.
+ * Prompt the customer to upgrade to CodeQL Action v4, if appropriate.
  *
- * Check whether a customer is running v1 or v2. If they are, and we can determine that the GitHub
+ * Check whether a customer is running v3. If they are, and we can determine that the GitHub
- * instance supports v3, then log an error prompting the customer to upgrade to v3.
+ * instance supports v4, then log an error prompting the customer to upgrade to v4.
  */
 export function checkActionVersion(
   version: string,
   githubVersion: GitHubVersion,
 ) {
   if (
-    !semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+    !semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
     !process.env[EnvVar.LOG_VERSION_DEPRECATION] // do not log error if we have already
   ) {
-    // Only error for versions of GHES that are compatible with CodeQL Action version 3.
+    // Only error for versions of GHES that are compatible with CodeQL Action version 4.
     //
-    // GHES 3.11 shipped without the v3 tag, but it also shipped without this warning message code.
+    // GHES 3.20 is the first version to ship with the v4 tag and this warning message code.
-    // Therefore users who are seeing this warning message code have pulled in a new version of the
+    // Therefore, users who are seeing this warning message code are running on GHES 3.20 or newer,
-    // Action, and with it the v3 tag.
+    // and should update to CodeQL Action v4.
     if (
       githubVersion.type === GitHubVariant.DOTCOM ||
       githubVersion.type === GitHubVariant.GHE_DOTCOM ||
       (githubVersion.type === GitHubVariant.GHES &&
         semver.satisfies(
           semver.coerce(githubVersion.version) ?? "0.0.0",
-          ">=3.11",
+          ">=3.20",
         ))
     ) {
       core.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. " +
+        "CodeQL Action v3 will be deprecated in December 2026. " +
-          "Please update all occurrences of the CodeQL Action in your workflow files to v3. " +
+          "Please update all occurrences of the CodeQL Action in your workflow files to v4. " +
           "For more information, see " +
-          "https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/",
+          "https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/",
       );
       // set LOG_VERSION_DEPRECATION env var to prevent the warning from being logged multiple times
       core.exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");