| name | upgrade-codeql-cli-and-packs |
|---|---|
| description | Upgrade the CodeQL CLI version and synchronize all ql-mcp-* pack dependencies to maintain compatibility. Use this skill when a new CodeQL CLI version is released and the MCP server needs to be updated to use it. |
This skill guides you through upgrading the CodeQL CLI version used by the MCP server and synchronizing all ql-mcp-* query packs to use compatible library versions.
- A new CodeQL CLI version has been released
- You need to update
.codeql-versionto a newer version - Query unit tests are failing with database compatibility errors
- You see errors like "Cannot downgrade to..." or "database is not compatible with a QL library"
- Access to the CodeQL CLI (via
gh codeqlextension or direct installation)
This repository uses a CLI-aligned versioning strategy across all version-bearing files:
.codeql-version: Contains the target CLI version (e.g.,vX.Y.Z)package.jsonversions: Allpackage.jsonfiles (root, client, extensions/vscode, server) use the CLI version number without the "v" prefix (e.g.,X.Y.Z)ql-mcp-*pack versions: Use the CLI version number without the "v" prefix (e.g.,X.Y.Z)codeql/*-alldependencies: Must havecliVersion <= target CLI version
CodeQL databases contain a dbscheme that defines the database structure. The dbscheme in:
- The CLI's extractor (used when creating databases)
- The
codeql/*-alllibrary pack (used when running queries)
Must match exactly, or queries will fail with compatibility errors.
A fatal error occurred: The CodeQL database is not compatible with a QL library referenced by the query you are trying to run.
The database may be too new for the QL libraries the query is using; try upgrading them.
This occurs when:
- The CLI extractor uses a newer dbscheme than the library pack expects
- Using wildcard (
*) dependencies that resolve to incompatible pack versions
Edit .codeql-version to the new target version:
vX.XX.Y
gh codeql set-version vX.XX.Y
codeql version # Verify installationUse the update-release-version.sh script to deterministically update .codeql-version, all package.json files, and all codeql-pack.yml files in a single command:
./server/scripts/update-release-version.sh X.XX.YThis updates all version-bearing files. Preview changes first with --dry-run:
./server/scripts/update-release-version.sh --dry-run X.XX.YVerify consistency with --check:
./server/scripts/update-release-version.sh --check X.XX.YAfter updating, regenerate the lock file:
npm installUse the codeql_pack_ls MCP tool to see what pack versions are installed:
{
"dir": "~/.codeql/packages",
"format": "json"
}For each codeql/*-all pack, verify it was built for a compatible CLI version by checking the cliVersion field in its qlpack.yml:
for lang in actions cpp csharp go java javascript python ruby swift; do
version=$(ls ~/.codeql/packages/codeql/${lang}-all/ | head -1)
echo "$lang-all@$version: $(cat ~/.codeql/packages/codeql/${lang}-all/$version/qlpack.yml | grep cliVersion)"
doneImportant: The pack's cliVersion must be ≤ your target CLI version.
If a pack has cliVersion newer than your target CLI, download an older version:
gh codeql pack download "codeql/{language}-all@{older-version}"Then re-verify the cliVersion is compatible.
Note: The
versionfield in allcodeql-pack.ymlfiles is already updated by theupdate-release-version.shscript in Phase 1.3. This phase focuses on updatingcodeql/*-alldependency versions for compatibility.
All codeql-pack.yml files under server/ql/*/tools/:
| Pack Type | Location | Fields to Update |
|---|---|---|
| Source | server/ql/{lang}/tools/src/codeql-pack.yml |
version, codeql/{lang}-all |
| Test | server/ql/{lang}/tools/test/codeql-pack.yml |
version, advanced-security/ql-mcp-{lang}-tools-src |
name: advanced-security/ql-mcp-{language}-tools-src
version: X.XX.Y # CLI version without 'v' prefix
library: false
dependencies:
codeql/{language}-all: { compatible-version } # Explicit version, no wildcardsname: advanced-security/ql-mcp-{language}-tools-test
version: X.XX.Y # CLI version without 'v' prefix
dependencies:
advanced-security/ql-mcp-{language}-tools-src: ${workspace}
extractor: { language }Use the codeql_pack_install MCP tool for each pack directory, or run the helper script:
./server/scripts/install-packs.shOr use the codeql_pack_install MCP tool for individual packs:
{
"packDir": "server/ql/{language}/tools/src"
}Use the codeql_test_run MCP tool:
{
"tests": ["server/ql/{language}/tools/test"]
}Or run all tests with the helper script:
./server/scripts/run-query-unit-tests.shSome library version upgrades cause non-deterministic output ordering changes. If tests fail with only ordering differences in .expected files (not logic changes), update the expected files to match the new output.
| Language | Source Pack | Library Dependency |
|---|---|---|
| actions | advanced-security/ql-mcp-actions-tools-src | codeql/actions-all |
| cpp | advanced-security/ql-mcp-cpp-tools-src | codeql/cpp-all |
| csharp | advanced-security/ql-mcp-csharp-tools-src | codeql/csharp-all |
| go | advanced-security/ql-mcp-go-tools-src | codeql/go-all |
| java | advanced-security/ql-mcp-java-tools-src | codeql/java-all |
| javascript | advanced-security/ql-mcp-javascript-tools-src | codeql/javascript-all |
| python | advanced-security/ql-mcp-python-tools-src | codeql/python-all |
| ruby | advanced-security/ql-mcp-ruby-tools-src | codeql/ruby-all |
| swift | advanced-security/ql-mcp-swift-tools-src | codeql/swift-all |
Wildcards resolve to the latest version, which may be incompatible:
# Bad - may resolve to incompatible version
dependencies:
codeql/cpp-all: '*'
# Good - explicit compatible version
dependencies:
codeql/cpp-all: 1.2.3- Pack
cliVersionmust be ≤ target CLI version - Packs built for the same minor version (e.g., X.Y.x) are usually compatible
- Different languages may require different pack versions due to independent release cycles
Library upgrades can cause non-deterministic ordering changes in query output. These are cosmetic differences - update .expected files when the logic is unchanged but output order differs.
npm's files field does not support intermediate wildcard patterns like ql/*/tools/src/. Each language directory must be listed explicitly:
"files": [
"dist/",
"ql/actions/tools/src/",
"ql/cpp/tools/src/",
"ql/csharp/tools/src/",
...
]When adding a new language, add its ql/{language}/tools/src/ entry to server/package.json files.
server/.npmignore must contain *.qlx to prevent compiled CodeQL query bytecode (which is OS/architecture-specific) from being included in the npm package.
All logger.info/warn/error/debug methods write to stderr via console.error. This is required because in stdio transport mode, stdout is reserved exclusively for the MCP JSON-RPC protocol. Any non-protocol bytes on stdout corrupt the message stream.
The server resolves the CodeQL CLI binary at startup via resolveCodeQLBinary() in cli-executor.ts. The CODEQL_PATH env var takes an absolute path to the codeql binary, bypassing PATH lookup. This is critical for users who have multiple CodeQL CLI versions installed.
- Use
--threads=-1(leave 1 core unused) for parallel compilation GITHUB_TOKENenv var is recognized automatically — no need for--github-auth-stdin- Precompilation is enabled by default (only
--no-precompileopt-out exists) - The
codeql pack installsubcommand does not have a--threadsflag
The actual license file is LICENSE (no .md extension). Workflow steps and documentation must reference LICENSE, not LICENSE.md.
See verify-pack-compatibility.sh for automated compatibility checking.
- add-mcp-support-for-new-language - Adding support for new CodeQL languages
- validate-ql-mcp-server-tools-queries - Validating tool query functionality