microsoft · dilanbhalla · Mar 24, 2026 · Mar 6, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -20,18 +20,18 @@ bazel_dep(name = "rules_go", version = "0.59.0")
 bazel_dep(name = "rules_java", version = "9.0.3")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
-bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.5.0")
+bazel_dep(name = "rules_python", version = "1.9.0")
+bazel_dep(name = "rules_shell", version = "0.6.1")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
+bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
 bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
+bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
 bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
-bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
+bazel_dep(name = "zstd", version = "1.5.7.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 

diff --git a/actions/ql/lib/CHANGELOG.md b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.30
+
+No user-facing changes.
+
 ## 0.4.29
 
 No user-facing changes.

diff --git a/actions/ql/lib/change-notes/released/0.4.30.md b/actions/ql/lib/change-notes/released/0.4.30.md
@@ -0,0 +1,3 @@
+## 0.4.30
+
+No user-facing changes.
diff --git a/actions/ql/lib/codeql-pack.release.yml b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.29
+lastReleaseVersion: 0.4.30
diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.29
+version: 0.4.30
 library: true
 warnOnImplicitThis: true
 dependencies:

diff --git a/actions/ql/src/CHANGELOG.md b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.22
+
+No user-facing changes.
+
 ## 0.6.21
 
 No user-facing changes.

diff --git a/actions/ql/src/change-notes/released/0.6.22.md b/actions/ql/src/change-notes/released/0.6.22.md
@@ -0,0 +1,3 @@
+## 0.6.22
+
+No user-facing changes.
diff --git a/actions/ql/src/codeql-pack.release.yml b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.21
+lastReleaseVersion: 0.6.22
diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.21
+version: 0.6.22
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

diff --git a/config/add-overlay-annotations.py b/config/add-overlay-annotations.py
@@ -199,6 +199,7 @@ def annotate_as_appropriate(filename, lines):
     # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
     # but they seem to work well enough for now (as determined by speed and accuracy numbers).
     if (filename.endswith("Test.qll") or
+        re.search(r"go/ql/lib/semmle/go/security/[^/]+[.]qll$", filename.replace(os.sep, "/")) or
         ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
          any("implements DataFlow::ConfigSig" in line for line in lines))):
         return None

diff --git a/config/identical-files.json b/config/identical-files.json
@@ -172,10 +172,6 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
-  "C# ControlFlowReachability": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
-  ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"

diff --git a/cpp/downgrades/770002bb02322e04fa25345838ce6e82af285a0b/in_trap.ql b/cpp/downgrades/770002bb02322e04fa25345838ce6e82af285a0b/in_trap.ql
@@ -0,0 +1,21 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Trap extends @trap {
+  string toString() { none() }
+}
+
+class Tag extends @tag {
+  string toString() { none() }
+}
+
+from Element e, Trap trap
+where
+  in_trap_or_tag(e, trap)
+  or
+  exists(Tag tag |
+    in_trap_or_tag(e, tag) and
+    trap_uses_tag(trap, tag)
+  )
+select e, trap