CodeQL 2.21.0 supports TypeScript 5.8 and expands language coverage

CodeQL version 2.21.0 has been released and includes TypeScript 5.8 support, a new Java query to detect exposed Spring Boot actuators, and support for new JavaScript libraries.

TypeScript 5.8 support

CodeQL can now analyze code written in TypeScript version 5.8, helping you find and automatically remediate security issues in the latest TypeScript projects, all without additional configuration.

Improved Java analysis

The community-contributed query java/spring-boot-exposed-actuators by @ggolawski has been promoted out of experimental status and is now included in the default code scanning query pack. This query helps you identify publicly accessible Spring Boot actuators, preventing unintended information disclosure.

Expanded JavaScript framework coverage

We’ve extended our JavaScript analysis to include popular modern frameworks and libraries:

• Apollo Server: Added support for analyzing data coming from GraphQL when using @apollo/server.
• React Relay: Added analysis support for React applications using the react-relay library.
• SAP ecosystem: Added CodeQL support for analysis of SAP packages, including @sap/hana-client, @sap/hdbext, and hdb.
• TanStack: Added support for analyzing applications using the @tanstack/angular-query-experimental package.

For a full list of changes, please refer to the complete changelog for version 2.21.0. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on github.com. The new functionality in CodeQL 2.21.0 will also be included in GitHub Enterprise Server (GHES) version 3.18. If you use an older version of GHES, you can manually upgrade your CodeQL version.