Upgrade CodeQL to v2.24.3 and upgrade NodeJS dependencies to latest

[data-douser]

Summary of Changes

This pull request upgrades the CodeQL CLI and related dependencies from version 2.24.2 to 2.24.3 throughout the project. It also updates several devDependencies (such as eslint and @types/node), refreshes CodeQL pack lock files with newer versions, and adjusts the CI workflow to use an updated script for managing CodeQL pack dependencies.

Outline of Changes

Dependency and Version Upgrades:

• Upgraded CodeQL CLI and all related package versions from 2.24.2 to 2.24.3 in .codeql-version, all package.json files, and all codeql-pack.yml files across the repository. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]

• Updated QL pack lock files to the latest dependency versions for JavaScript examples and tests, ensuring all CodeQL packs are up to date.

• Upgraded devDependencies for eslint (from 10.0.2 to 10.0.3) and @types/node (from 25.3.3 to 25.3.5) in all relevant package.json files. [1] [2] [3] [4]

Workflow and Automation Improvements:

• Updated the GitHub Actions workflow to use a new script (upgrade-packs.sh instead of install-packs.sh) for upgrading CodeQL pack dependencies, and clarified workflow step descriptions to reflect the upgrade process. [1] [2]

Test Artifacts:

• Updated SARIF test result files to reflect the new CodeQL CLI version.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
client	2.24.3	Null	Unknown License
extensions/vscode	2.24.3	Null	Unknown License
server	2.24.3	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/eslint	^10.0.3	Unknown	Unknown
npm/@types/node	^25.3.5	Unknown	Unknown
npm/eslint	^10.0.3	Unknown	Unknown
npm/@eslint/config-array	0.23.3	Unknown	Unknown
npm/@eslint/core	1.1.1	Unknown	Unknown
npm/@eslint/object-schema	3.0.3	Unknown	Unknown
npm/@eslint/plugin-kit	0.6.1	Unknown	Unknown
npm/@hono/node-server	1.19.11	Unknown	Unknown
npm/@types/node	25.3.5	🟢 6.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed
npm/client	2.24.3	Unknown	Unknown
npm/eslint	10.0.3	🟢 6.3	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 22/27 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ -1 internal error: internal error: Client.Checks.ListCheckRunsForRef: internal error: ListCheckRunsForRef: GET https://api.github.com/repos/eslint/eslint/commits/1f09695a7a5271a736cc06cadf360ebb6288296a/check-runs: 500 []
npm/eslint-scope	9.1.2	Unknown	Unknown
npm/express-rate-limit	8.3.0	Unknown	Unknown
npm/extensions/vscode	2.24.3	Unknown	Unknown
npm/hono	4.12.5	Unknown	Unknown
npm/ip-address	10.1.0	⚠️ 2.5	Details Check Score Reason Code-Review ⚠️ 1 Found 4/28 approved changesets -- score normalized to 1 Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/server	2.24.3	Unknown	Unknown
npm/underscore	1.13.8	🟢 6	Details Check Score Reason Maintained 🟢 10 18 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/20 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 7 SAST tool detected but not run on all commits
npm/@types/node	^25.3.5	Unknown	Unknown
npm/eslint	^10.0.3	Unknown	Unknown

Scanned Files

• client/package.json
• extensions/vscode/package.json
• package-lock.json
• server/package.json

[Copilot]

Pull request overview

This PR updates the repository to CodeQL CLI v2.24.3 and refreshes Node.js dependency versions/lockfiles so CI, the server bundle, and packaged CodeQL packs stay in sync with the new CLI.

Changes:

• Bumped CodeQL version references across the repo (including .codeql-version, package versions, and CodeQL pack versions) from 2.24.2 → 2.24.3.
• Regenerated CodeQL pack lock files (notably for JavaScript examples) and added a new script to upgrade pack dependencies via codeql pack upgrade.
• Updated Node.js devDependencies (e.g., eslint, @types/node) and refreshed package-lock.json, with corresponding server/dist/** rebuild output and updated SARIF fixture.

Reviewed changes

Copilot reviewed 30 out of 33 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
server/src/codeql-development-mcp-server.ts	Bumps server-reported version constant to 2.24.3.
server/scripts/upgrade-packs.sh	Adds a dedicated script to regenerate pack lockfiles using codeql pack upgrade.
server/scripts/update-release-version.sh	Tweaks CLI version validation logging and invocation.
server/ql/**/tools/{src,test}/codeql-pack.yml	Bumps tool pack versions to 2.24.3 across languages.
server/ql/javascript/examples/{src,test}/codeql-pack.lock.yml	Updates JS examples pack dependency locks to newer compatible versions.
server/package.json	Bumps package version and devDependency versions.
server/dist/codeql-development-mcp-server.js	Updates committed build artifact to reflect dependency/version changes.
package.json	Bumps repo version and eslint devDependency.
package-lock.json	Refreshes workspace versions and dependency graph after upgrades.
extensions/vscode/package.json	Bumps extension version and devDependency versions.
client/package.json	Bumps client version and eslint devDependency.
client/integration-tests/**/results.sarif	Updates SARIF fixture to reflect CodeQL 2.24.3.
.github/workflows/update-codeql.yml	Switches automation from “install packs” to “upgrade packs” for lockfile regeneration.
.codeql-version	Updates pinned CodeQL CLI version to v2.24.3.