From 362fe7d9ad25e5de0491111001004f544f726621 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 6 Jul 2026 14:04:33 -0400 Subject: [PATCH] fix(java): remove redundant codeql-java-extensions dependency from java/lib java/lib/qlpack.yml hard-pinned githubsecuritylab/codeql-java-extensions as a dependency. All three published configs (configs/default.yml, configs/synthetics.yml, configs/audit.yml) also list githubsecuritylab/codeql-java-extensions directly in their packs: list (to load its MaD data extension models). This causes the same pack to be resolved twice in a single evaluation - once transitively via codeql-java-queries -> codeql-java-libs -> codeql-java-extensions, and once directly from the config's packs: list - which the CodeQL CLI cannot reconcile: com.semmle.util.exception.CatastrophicError: Encountered two packs with the same name 'Optional[githubsecuritylab/codeql-java-extensions]' used in a single evaluation. This was confirmed against a real failing GitHub Actions run using configs/synthetics.yml verbatim from this repo: https://github.com/dsp-testing/SecurityShepherd/actions/runs/28809261039/job/85432641504 C# is unaffected: csharp/lib/qlpack.yml only depends on codeql/csharp-all - codeql-csharp-extensions is not baked in as a lib dependency, it's purely opt-in via config. Java was the only language where the lib pack hard-pinned the extensions pack (added in commit 8f4ee8a), which collides with our own configs. Nothing in java/lib actually needs codeql-java-extensions at QL-compile time - java/lib/ghsl/Utils.qll only imports standard semmle.code.java.* modules. The extensions pack is a pure MaD data pack (see java/ext/qlpack.yml) with no QL code to import, so the dependency existed only to bundle/pull in the pack - which is redundant since every shipped config already lists it explicitly. This branch is stacked on #126 (jcogs33/update-to-v0.2.2), which bumps java/lib to 0.2.2 as part of a blanket repo-wide version bump. Since 0.2.2 will already be published (with this bug still present) once #126 lands, bump java/lib to 0.2.3 here instead so this fix actually triggers a republish. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --- java/lib/qlpack.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/java/lib/qlpack.yml b/java/lib/qlpack.yml index b398e2b1..f8c8c87f 100644 --- a/java/lib/qlpack.yml +++ b/java/lib/qlpack.yml @@ -1,6 +1,5 @@ library: true name: githubsecuritylab/codeql-java-libs -version: 0.2.2 +version: 0.2.3 dependencies: codeql/java-all: '*' - githubsecuritylab/codeql-java-extensions: '0.2.1'