| name | upgrade-codeql-cli-and-packs |
|---|---|
| description | Upgrade the CodeQL CLI version and synchronize all ql-mcp-* pack dependencies to maintain compatibility. Use this skill when a new CodeQL CLI version is released and the MCP server needs to be updated to use it. |
This skill guides you through upgrading the CodeQL CLI version used by the MCP server and synchronizing all ql-mcp-* query packs to use compatible library versions.
- A new CodeQL CLI version has been released
- You need to update
.codeql-versionto a newer version - Query unit tests are failing with database compatibility errors
- You see errors like "Cannot downgrade to..." or "database is not compatible with a QL library"
- Access to the CodeQL CLI (via
gh codeqlextension or direct installation)
This repository uses a CLI-aligned versioning strategy across all version-bearing files:
.codeql-version: Contains the target CLI version (e.g.,v2.23.9)package.jsonversions: Allpackage.jsonfiles (root, client, server) use the CLI version number without the "v" prefix (e.g.,2.23.9)ql-mcp-*pack versions: Use the CLI version number without the "v" prefix (e.g.,2.23.9)codeql/*-alldependencies: Must havecliVersion <= target CLI version
CodeQL databases contain a dbscheme that defines the database structure. The dbscheme in:
- The CLI's extractor (used when creating databases)
- The
codeql/*-alllibrary pack (used when running queries)
Must match exactly, or queries will fail with compatibility errors.
A fatal error occurred: The CodeQL database is not compatible with a QL library referenced by the query you are trying to run.
The database may be too new for the QL libraries the query is using; try upgrading them.
This occurs when:
- The CLI extractor uses a newer dbscheme than the library pack expects
- Using wildcard (
*) dependencies that resolve to incompatible pack versions
Edit .codeql-version to the new target version:
vX.XX.Y
gh codeql set-version vX.XX.Y
codeql version # Verify installationAll package.json files must have their version field set to match the CLI version (without the "v" prefix):
| File | Field to Update |
|---|---|
package.json |
version |
client/package.json |
version |
server/package.json |
version |
Example: If .codeql-version is v2.23.9, set all package.json versions to "version": "2.23.9".
After updating, regenerate the lock file:
npm installUse the codeql_pack_ls MCP tool to see what pack versions are installed:
{
"dir": "~/.codeql/packages",
"format": "json"
}For each codeql/*-all pack, verify it was built for a compatible CLI version by checking the cliVersion field in its qlpack.yml:
for lang in actions cpp csharp go java javascript python ruby swift; do
version=$(ls ~/.codeql/packages/codeql/${lang}-all/ | head -1)
echo "$lang-all@$version: $(cat ~/.codeql/packages/codeql/${lang}-all/$version/qlpack.yml | grep cliVersion)"
doneImportant: The pack's cliVersion must be ≤ your target CLI version.
If a pack has cliVersion newer than your target CLI, download an older version:
gh codeql pack download "codeql/{language}-all@{older-version}"Then re-verify the cliVersion is compatible.
All codeql-pack.yml files under server/ql/*/tools/:
| Pack Type | Location | Fields to Update |
|---|---|---|
| Source | server/ql/{lang}/tools/src/codeql-pack.yml |
version, codeql/{lang}-all |
| Test | server/ql/{lang}/tools/test/codeql-pack.yml |
version, ql-mcp-{lang}-tools-src |
name: ql-mcp-{language}-tools-src
version: X.XX.Y # CLI version without 'v' prefix
library: false
dependencies:
codeql/{language}-all: { compatible-version } # Explicit version, no wildcardsname: ql-mcp-{language}-tools-test
version: X.XX.Y # CLI version without 'v' prefix
dependencies:
ql-mcp-{language}-tools-src: X.XX.Y # Same as version field
extractor: { language }Use the codeql_pack_install MCP tool for each pack directory, or run the helper script:
./server/scripts/install-packs.shOr use the codeql_pack_install MCP tool for individual packs:
{
"packDir": "server/ql/{language}/tools/src"
}Use the codeql_test_run MCP tool:
{
"tests": ["server/ql/{language}/tools/test"]
}Or run all tests with the helper script:
./server/scripts/run-query-unit-tests.shSome library version upgrades cause non-deterministic output ordering changes. If tests fail with only ordering differences in .expected files (not logic changes), update the expected files to match the new output.
| Language | Source Pack | Library Dependency |
|---|---|---|
| actions | ql-mcp-actions-tools-src | codeql/actions-all |
| cpp | ql-mcp-cpp-tools-src | codeql/cpp-all |
| csharp | ql-mcp-csharp-tools-src | codeql/csharp-all |
| go | ql-mcp-go-tools-src | codeql/go-all |
| java | ql-mcp-java-tools-src | codeql/java-all |
| javascript | ql-mcp-javascript-tools-src | codeql/javascript-all |
| python | ql-mcp-python-tools-src | codeql/python-all |
| ruby | ql-mcp-ruby-tools-src | codeql/ruby-all |
| swift | ql-mcp-swift-tools-src | codeql/swift-all |
Wildcards resolve to the latest version, which may be incompatible:
# Bad - may resolve to incompatible version
dependencies:
codeql/cpp-all: '*'
# Good - explicit compatible version
dependencies:
codeql/cpp-all: 6.1.4- Pack
cliVersionmust be ≤ target CLI version - Packs built for the same minor version (e.g., 2.23.x) are usually compatible
- Different languages may require different pack versions due to independent release cycles
Library upgrades can cause non-deterministic ordering changes in query output. These are cosmetic differences - update .expected files when the logic is unchanged but output order differs.
See verify-pack-compatibility.sh for automated compatibility checking.
- add-mcp-support-for-new-language - Adding support for new CodeQL languages
- validate-ql-mcp-server-tools-queries - Validating tool query functionality