v2.25.4

What's Changed

• MaD QL : Improve ql-mcp support for CodeQL Models-as-Data Extensions by @data-douser in #271
• Update on.{pull_request,push}.paths triggers for .github/workflows/build-*.yml by @data-douser in #274
• Upgrade CodeQL CLI dependency to v2.25.4 by @github-actions[bot] in #272
• Build(deps): bump hono from 4.12.14 to 4.12.18 by @dependabot[bot] in #273
• [UPDATE PRIMITIVE] Auto-infer codeql_query_run format from @kind to enable result caching by @Copilot in #275
• Build(deps): bump fast-uri from 3.1.0 to 3.1.2 by @dependabot[bot] in #277
• Prep for pending v2.25.4 release of codeql-development-mcp-server by @Copilot in #276

Full Changelog: v2.25.3...v2.25.4

v2.25.3

What's Changed

• Build(deps): bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #256
• Build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #255
• Build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @dependabot[bot] in #253
• Build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @dependabot[bot] in #254
• Build(deps): bump the all-npm-dependencies group across 4 directories with 5 updates by @dependabot[bot] in #257
• Supply chain hardening for npm and actions by @data-douser in #258
• Build(deps-dev): bump the all-npm-dependencies group across 4 directories with 3 updates by @dependabot[bot] in #259
• Merge next into main for "next" release prep by @data-douser in #260
• Build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in #264
• Build(deps): bump actions/setup-go from 5.6.0 to 6.4.0 by @dependabot[bot] in #265
• Fix invalid JSON Schema for query_results_cache_retrieve by @Copilot in #263
• Upgrade CodeQL CLI dependency to v2.25.3 by @github-actions[bot] in #269

Full Changelog: v2.25.2...v2.25.3

v2.25.2-next.1

What's Changed

• Update NodeJS dependencies for security patches by @data-douser in #245
• Prep for v2.25.2 release of codeql-development-mcp-server by @data-douser in #251

Full Changelog: v2.25.1-next.3...v2.25.2-next.1

v2.25.2

What's Changed

• SqliteStore backend + annotation, audit, and query result cache tools by @data-douser in #169
• Add support for rust language by @Copilot in #195
• fix: ql-mcp server must handle vscode workspace folder changes by @data-douser in #196
• Updated versions & CHANGELOG.md for v2.25.1-next.1 release by @data-douser in #197
• Updates for v2.25.1-next.2 prerelease by @data-douser in #204
• Build(deps): bump the all-npm-dependencies group across 4 directories with 6 updates by @dependabot[bot] in #205
• Add missing Cargo.lock files and ext/ crate for Rust QL tools test fixtures by @Copilot in #210
• Document and test sarif_list_rules per-rule resultCount field by @Copilot in #219
• [UPDATE PRIMITIVE] Normalize camelCase params to kebab-case with actionable error messages for CLI tools by @Copilot in #224
• Fix minimal default scope in extract-test-databases.sh for efficient running of client integration tests by @data-douser in #228
• [UPDATE PRIMITIVE] Report all validation errors at once instead of one-at-a-time by @Copilot in #227
• Improve ql-mcp VS Code extension UX by @Copilot in #230
• Update NodeJS dependencies for security patches by @data-douser in #245
• Prep for v2.25.2 release of codeql-development-mcp-server by @data-douser in #251

Full Changelog: v2.25.1...v2.25.2

v2.25.2-rc1

What's Changed

• Build(deps): bump the all-npm-dependencies group across 4 directories with 6 updates by @dependabot[bot] in #205
• Add missing Cargo.lock files and ext/ crate for Rust QL tools test fixtures by @Copilot in #210
• Document and test sarif_list_rules per-rule resultCount field by @Copilot in #219
• [UPDATE PRIMITIVE] Normalize camelCase params to kebab-case with actionable error messages for CLI tools by @Copilot in #224
• Fix minimal default scope in extract-test-databases.sh for efficient running of client integration tests by @data-douser in #228
• [UPDATE PRIMITIVE] Report all validation errors at once instead of one-at-a-time by @Copilot in #227
• Improve ql-mcp VS Code extension UX by @Copilot in #230
• Update NodeJS dependencies for security patches by @data-douser in #245

Full Changelog: v2.25.1-next.2...v2.25.2-rc1

v2.25.1-next.3

Overview

This prerelease contains the last expected improvements for v2.25.1-next.* release train, which will form the bulk of changes between the full v2.25.1 release and the to-be-released v2.25.2 release (pending upstream CodeQL release).

This v2.25.1-next.3 prerelease is focused on bug fixes and usability improvements for the ql-mcp server and its wrapping VSIX-installed (e.g. VS Code) extension.

v2.25.1-next.2

What's Changed

• Updates for v2.25.1-next.2 prerelease by @data-douser in #204

Full Changelog: v2.25.1-next.1...v2.25.1-next.2

v2.25.1-next.1

v2.25.1-next.1 — 2026-03-30

Highlights

• Ready for multi-query and/or multi-repository variant analysis (aka MRVA) -- An improved sql.js backend and new MCP server primitives (i.e. prompts, resources & tools) are designed to support analysis of large codebases and/or MRVA results and/or results across multiple query runs.
• Prepped for drop-in to GitHubSecurityLab/seclab-taskflow-agent -- This next release is intended to be a drop-in replacement for the CodeQL MCP server currently bundled with the GitHubSecurityLab/seclab-taskflow-agent -- where additional work is required to complete this integration on the seclab-taskflow-agent side, but where the codeql-development-mcp-server is fully prepped to go "Yes, and ..." on the ideas pioneered by the seclab-taskflow-agent. Where the previously bundled CodeQL MCP server provided some "tools" queries for a couple of languages, the codeql-development-mcp-server standardizes and extends PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, and CallGraphFromTo "tools" queries for all currently supported languages, including:
  • actions ## only supports PrintAST and PrintCFG
  • cpp
  • csharp
  • go
  • java
  • javascript
  • python
  • ruby
  • rust
  • swift
• SqliteStore backend + 14 new opt-in tools — Replaced lowdb with sql.js (SQLite compiled to asm.js) as the unified storage backend. Introduced annotation (6 tools), audit (4 tools), and query result cache (4 tools) suites, gated by ENABLE_ANNOTATION_TOOLS. (#169)
• Rust language support — Added first-class Rust support with all standard tool queries (PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, CallGraphFromTo) plus a new rust_ast.md language resource, bringing the total supported languages to 10. (#195)
• VS Code workspace folder change fix — The ql-mcp server now correctly restarts with a fresh environment when workspace folders are added or removed, fixing a bug where the server was left in a broken state. (#196)

Added

MCP Server Tools

Enabling the new MCP tools (below) requires setting the ENABLE_MONITORING_TOOLS and MONITORING_STORAGE_LOCATION env vars, like:

export ENABLE_ANNOTATION_TOOLS=true
export MONITORING_STORAGE_LOCATION=".codeql/.ql-mcp-tracking"

NOTE: A future (e.g. v2.25.1-next.2 release will ensure that these ^ env vars are automatically set for a VSIX-installed ql-mcp server and wrapping VS Code extension. For this v2.25.1-next.1 release, the above env vars need to be manually set in the extension's settings.

Tool	Description
annotation_create	Create general-purpose notes and bookmarks on any entity. (#169)
annotation_get	Retrieve a specific annotation by ID. (#169)
annotation_list	List all annotations, optionally filtered. (#169)
annotation_update	Update an existing annotation. (#169)
annotation_delete	Delete an annotation by ID. (#169)
annotation_search	Full-text search across annotations. (#169)
audit_store_findings	Store repo-keyed findings for MRVA triage workflows. (#169)
audit_list_findings	List audit findings for a repository. (#169)
audit_add_notes	Add notes to audit findings. (#169)
audit_clear_repo	Clear all findings for a repository. (#169)
query_results_cache_lookup	Look up cached query results with subset retrieval. (#169)
query_results_cache_retrieve	Retrieve cached query results with line range, grep, and SARIF filters. (#169)
query_results_cache_clear	Clear the query result cache. (#169)
query_results_cache_compare	Compare query results across databases. (#169)

CodeQL Query Packs

Pack	Description
Rust tool queries	PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, CallGraphFromTo for Rust, using entity-based function resolution via getResolvedTarget(). (#195)

MCP Server Resources

URI	Description
codeql://languages/rust/ast	Comprehensive Rust AST class reference for CodeQL query development, with verified accessor predicates. (#195)

Infrastructure & CI/CD

• Added Rust to all CI/CD workflows: query-unit-tests.yml, release.yml, release-codeql.yml. (#195)
• Added client integration tests for Rust PrintAST and CallGraphFrom. (#195)
• Added client integration tests for all 14 new annotation/audit/cache tools and an MRVA triage workflow end-to-end test. (#169)
• Added .prettierignore entries for *.ql, *.qll, and query documentation .md files to prevent prettier from overriding CodeQL formatting. (#195)

What's Changed

MCP Server Tools

Tool	Change
codeql_query_run	Results are now auto-cached in the SqliteStore after SARIF interpretation. (#169)
extractQueryMetadata	LRU in-memory cache with mtime-based invalidation for improved performance. (#169)
resolveDatabasePath	Module-level Map cache to avoid redundant filesystem scans. (#169)

VS Code Extension

• McpProvider.requestRestart() now atomically invalidates the environment cache and bumps a +rN revision suffix, ensuring VS Code reliably detects version changes and restarts the server. (#196)
• Extension version is cached once at construction time instead of reading package.json synchronously on every definition query. (#196)

Infrastructure & CI/CD

• Extracted database-resolver.ts, query-resolver.ts, result-processor.ts, and codeql-version.ts from monolithic files, reducing cli-tool-registry.ts by ~375 lines. (#169)
• CodeQL CLI actual-vs-target version mismatch detection at startup with logged warnings. (#169)

Fixed

• VS Code workspace folder changes left server in broken state — fireDidChange() was called with an identical version string after folder add/remove, causing VS Code to stop but not restart the server. requestRestart() now invalidates the environment cache and uses a monotonically increasing +rN revision suffix. (#196)
• requestRestart() did not invalidate environment cache — Callers had to manually invalidate the env cache before calling requestRestart(), which was undocumented. Now handled internally. (#196)

Dependencies

• Replaced lowdb with sql.js (asm.js build, zero native dependencies). (#169)
• Added codeql/rust-all: 0.2.10 as a CodeQL pack dependency for Rust tool queries. (#195)

New Contributors

• @Copilot made their first contribution in #195...

v2.25.1

What's Changed

• Add CHANGELOG.md and maintenance agent skill by @data-douser in #193
• Upgrade CodeQL CLI dependency to v2.25.1 by @github-actions[bot] in #192

Full Changelog: v2.25.0...v2.25.1

v2.25.0

What's Changed

• Build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 by @dependabot[bot] in #141
• Update copilot-setup-steps and NodeJS dependencies by @data-douser in #142
• Apply npm audit fix for NodeJS dependencies by @data-douser in #144
• Implement duplicated code detection prompts, supported by tools. by @MichaelRFairhurst in #109
• Upgrade NodeJS dependencies to latest by @data-douser in #156
• Build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #146
• Update action versions and fix build-and-test step in update-codeql workflow by @data-douser in #158
• Support target upgrade version in update-codeql.yml workflow by @data-douser in #160
• Improve prompt error handling and relative path support by @data-douser in #153
• Upgrade CodeQL CLI dependency to v2.25.0 by @github-actions[bot] in #161
• Pin actions to full-length commit SHAs by @data-douser in #190
• Update dependabot config to group PRs by @data-douser in #191
• Upgrade NodeJS dependencies and rebuild server/dist/** by @data-douser in #189
• Add CallGraphFromTo queries for all supported languages by @data-douser in #168
• [UPDATE PRIMITIVE] Fix codeql_database_analyze additionalArgs pass-through by @Copilot in #188

Full Changelog: v2.24.3...v2.25.0

What's Changed

• Build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 by @dependabot[bot] in #141
• Update copilot-setup-steps and NodeJS dependencies by @data-douser in #142
• Apply npm audit fix for NodeJS dependencies by @data-douser in #144
• Implement duplicated code detection prompts, supported by tools. by @MichaelRFairhurst in #109
• Upgrade NodeJS dependencies to latest by @data-douser in #156
• Build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #146
• Update action versions and fix build-and-test step in update-codeql workflow by @data-douser in #158
• Support target upgrade version in update-codeql.yml workflow by @data-douser in #160
• Improve prompt error handling and relative path support by @data-douser in #153
• Upgrade CodeQL CLI dependency to v2.25.0 by @github-actions[bot] in #161
• Pin actions to full-length commit SHAs by @data-douser in #190
• Update dependabot config to group PRs by @data-douser in #191
• Upgrade NodeJS dependencies and rebuild server/dist/** by @data-douser in #189
• Add CallGraphFromTo queries for all supported languages by @data-douser in #168
• [UPDATE PRIMITIVE] Fix codeql_database_analyze additionalArgs pass-through by @Copilot in #188

Full Changelog: v2.24.3...v2.25.0