This PR upgrades the CodeQL CLI version to v2.25.1 and improves the upgrade-packs.sh script based on review feedback.

📝 Update Information

Primitive Details

• Type: Both
• Name: upgrade-packs.sh script / CodeQL CLI version metadata
• Update Category: Bug Fix, Feature Enhancement

⚠️ CRITICAL: PR SCOPE VALIDATION

This PR is for updating an existing MCP server primitive and must ONLY include these file types:

✅ ALLOWED FILES:

• Server implementation files (server/src/**/*.ts)
• Updated primitive implementations
• Modified registration files (server/src/tools/*.ts)
• Updated or new test files (server/test/**/*.ts)
• Documentation updates (README.md, server docs)
• Updated type definitions (server/src/types/*.ts)
• Modified supporting library files (server/src/lib/*.ts)
• Configuration updates if needed (package.json, tsconfig.json)

🚫 FORBIDDEN FILES:

• Files unrelated to the primitive update
• Temporary or test output files
• IDE configuration files
• Log files or debug output
• Analysis or summary files

Rationale: This PR should contain only the files necessary to update and test the primitive.

🚨 PRs that include forbidden files will be rejected and must be revised.

🛑 MANDATORY PR VALIDATION CHECKLIST

BEFORE SUBMITTING THIS PR, CONFIRM:

• ONLY server implementation files are included
• NO temporary or output files are included
• NO unrelated configuration files are included
• ALL existing tests continue to pass
• NEW functionality is properly tested

• Impact Scope: Moderate

Update Metadata

• Breaking Changes: No
• API Compatibility: Maintained
• Performance Impact: Neutral

🎯 Changes Description

Current Behavior

• The repository used CodeQL CLI v2.25.0 across all version-bearing files.
• pin_upstream_dep in upgrade-packs.sh returned early for wildcard deps (e.g. codeql/javascript-all: '*') before running codeql pack upgrade, so wildcard packs never had their lock files refreshed.
• codeql pack upgrade output was fully suppressed (>/dev/null 2>&1), making failures silent and hard to diagnose.

Updated Behavior

• All version-bearing files reference CodeQL CLI v2.25.1.
• pin_upstream_dep always runs codeql pack upgrade first so every pack's lock file stays in sync with the CLI; only the version-pinning step is skipped for wildcard deps.
• codeql pack upgrade output is captured and printed to stderr on failure, giving clear diagnostic information in CI and local runs.

Motivation

• CodeQL CLI v2.25.1 was released and requires corresponding lock file and dependency updates.
• Wildcard packs (javascript/examples/src) were silently left with stale lock files on CLI upgrades — a correctness bug.
• Silent failures in upgrade-packs.sh made troubleshooting difficult.

🔄 Before vs. After Comparison

Functionality Changes

# BEFORE: wildcard deps returned early, upgrade never ran; all output suppressed
if [[ "${dep_old_version}" == *"*"* ]]; then
    echo "  ℹ️  ${dep_name}: ${dep_old_version} (wildcard — skipping)"
    return
fi
codeql pack upgrade -- "${pack_dir}" >/dev/null 2>&1

# AFTER: upgrade always runs; only pinning skipped for wildcards; failures are visible
local upgrade_output
if ! upgrade_output=$(codeql pack upgrade -- "${pack_dir}" 2>&1); then
    echo "  ❌ codeql pack upgrade failed for ${pack_dir}:" >&2
    echo "${upgrade_output}" >&2
    return 1
fi
if [[ "${dep_old_version}" == *"*"* ]]; then
    echo "  ℹ️  ${dep_name}: ${dep_old_version} (wildcard — lock file upgraded, pinning skipped)"
    return
fi

API Changes

No API changes.

Output Format Changes

No output format changes.

🧪 Testing & Validation

Test Coverage Updates

• Existing Tests: All existing tests continue to pass
• New Test Cases: No new test cases (script behaviour verified manually)
• Regression Tests: Wildcard pack lock file upgrade now covered by script logic
• Edge Case Tests: N/A

Validation Scenarios

1. Backward Compatibility: Existing pinned-version packs continue to be upgraded and pinned as before.
2. New Functionality: Wildcard packs (e.g. javascript/examples/src) now get their lock files refreshed on CLI upgrade.
3. Error Handling: codeql pack upgrade failures now print full output to stderr instead of silently aborting.
4. Performance: No performance impact.

Test Results

• Unit Tests: All pass
• Integration Tests: All pass
• Manual Testing: Validated with real scenarios
• Performance Testing: No regressions detected

📋 Implementation Details

Files Modified

• Core Implementation: server/scripts/upgrade-packs.sh
• Configuration: .codeql-version, package.json, extensions/vscode/package.json, codeql-pack.yml files updated to 2.25.1
• Lock Files: codeql-pack.lock.yml files regenerated across all languages
• Dependencies: package-lock.json regenerated

Code Changes Summary

• Algorithm Improvements: pin_upstream_dep now always upgrades lock files before deciding whether to pin
• Error Handling: Improved error handling — codeql pack upgrade failures now surface diagnostic output
• Performance Optimization: N/A
• Type Safety: N/A
• Input Validation: N/A
• Output Format: N/A

Dependencies

• Updated Dependencies: CodeQL CLI bumped from 2.25.0 to 2.25.1; CodeQL pack lock files regenerated

🔍 Quality Improvements

Bug Fixes

• Issue: Wildcard packs (e.g. server/ql/javascript/examples/src) had their lock files skipped during CLI upgrades.

• Root Cause: The early return for wildcard deps in pin_upstream_dep executed before codeql pack upgrade ran.

• Solution: Moved codeql pack upgrade before the wildcard check; the early return now only skips pinning.

• Prevention: Script comment updated to document the new behaviour.

• Issue: Silent codeql pack upgrade failures made CI troubleshooting difficult.

• Root Cause: All output was redirected to /dev/null.

• Solution: Output is now captured and printed to stderr on failure.

• Prevention: Explicit error message with full command output on non-zero exit.

Code Quality Enhancements

• Readability: Updated inline comments to reflect the new script behaviour
• Maintainability: Cleaner separation between "upgrade lock file" and "pin version" concerns
• Testability: N/A
• Reusability: N/A

🔗 References

Related Issues/PRs

• Related PRs: Follows up on review feedback from the initial v2.25.1 upgrade commit

External References

• CodeQL CLI v2.25.1 release

Validation Materials

• Test Cases: Script run against all language packs including javascript/examples/src (wildcard dep)

🚀 Compatibility & Migration

Backward Compatibility

• Fully Compatible: No breaking changes

API Evolution

• Maintained Contracts: Core API contracts preserved

👥 Review Guidelines

For Reviewers

Please verify:

• ⚠️ SCOPE COMPLIANCE: PR contains only server implementation files
• ⚠️ NO UNRELATED FILES: No temporary, output, or unrelated files
• ⚠️ BACKWARD COMPATIBILITY: Existing functionality preserved
• Functionality: Updates work as described
• Test Coverage: All existing tests pass
• Code Quality: Maintains or improves code quality
• Error Handling: Improved error handling

Testing Instructions

# Full test suite
npm install
npm run build
npm test

# Upgrade packs manually
./server/scripts/upgrade-packs.sh
./server/scripts/upgrade-packs.sh --language javascript

# Code quality checks
npm run lint
npm run format
npm run type-check

Validation Checklist

1. Regression Testing: Verify no existing functionality is broken
2. Wildcard Pack Testing: Confirm javascript/examples/src lock file is updated by the script
3. Error Testing: Verify codeql pack upgrade failures print diagnostic output to stderr
4. Integration Testing: Verify integration with rest of server

📊 Impact Assessment

Server Impact

• Startup Time: No significant impact on server startup
• Runtime Stability: No impact on server stability
• Resource Usage: Reasonable resource consumption
• Concurrent Usage: Safe for concurrent access

AI Assistant Impact

• Improved Reliability: More reliable pack upgrade script behaviour
• Enhanced User Experience: Better diagnostic output on script failures

🔄 Deployment Strategy

Rollout Considerations

• Safe Deployment: Can be deployed safely to production
• Rollback Plan: Clear rollback strategy — revert upgrade-packs.sh changes and lock files

Update Methodology: This update follows best practices:

1. ✅ Comprehensive backward compatibility analysis
2. ✅ Thorough testing of all changes
3. ✅ Performance impact assessment
4. ✅ Clear documentation of changes
5. ✅ Robust error handling improvements
6. ✅ Maintained code quality standards

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.