advanced-security · data-douser · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026 · Copilot
diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml
@@ -2,9 +2,9 @@ name: Update CodeQL CLI Dependencies
 
 on:
   workflow_dispatch:
-  # Nightly check for new CodeQL CLI releases
+  # Check for new CodeQL CLI releases every 3 days
-  # Check for new CodeQL CLI releases every 3 days
+  # Check for new CodeQL CLI releases every 3 days (day-of-month step)
-  # Check for new CodeQL CLI releases every 3 days
+  # Check for new CodeQL CLI releases every 3 days (day-of-month step)
   schedule:
-    - cron: '30 0 * * *'
+    - cron: '30 0 */3 * *'
 
 permissions:
   contents: read

diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml
@@ -6,5 +6,5 @@ suites: codeql-suites
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.24"
-  advanced-security/javascript-sap-cap-all: "2.25.0"
+  advanced-security/javascript-sap-cap-all: ${workspace}
-  advanced-security/javascript-sap-cap-all: ${workspace}
+  advanced-security/javascript-sap-cap-all: "^2.25.0"
-  advanced-security/javascript-sap-cap-all: ${workspace}
+  advanced-security/javascript-sap-cap-all: "^2.25.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls
diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml
@@ -4,6 +4,6 @@ version: 2.25.0
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.24"
-  advanced-security/javascript-sap-cap-queries: "2.25.0"
-  advanced-security/javascript-sap-cap-models: "2.25.0"
-  advanced-security/javascript-sap-cap-all: "2.25.0"
+  advanced-security/javascript-sap-cap-queries: ${workspace}
+  advanced-security/javascript-sap-cap-models: ${workspace}
+  advanced-security/javascript-sap-cap-all: ${workspace}
diff --git a/javascript/frameworks/ui5-webcomponents/test/qlpack.yml b/javascript/frameworks/ui5-webcomponents/test/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.25.0
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.24"
-  advanced-security/javascript-sap-ui5-all: "2.25.0"
+  advanced-security/javascript-sap-ui5-all: ${workspace}
diff --git a/javascript/frameworks/ui5/src/qlpack.yml b/javascript/frameworks/ui5/src/qlpack.yml
@@ -6,5 +6,5 @@ suites: codeql-suites
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.24"
-  advanced-security/javascript-sap-ui5-all: "2.25.0"
+  advanced-security/javascript-sap-ui5-all: ${workspace}
-  advanced-security/javascript-sap-ui5-all: ${workspace}
+  advanced-security/javascript-sap-ui5-all: "^2.25.0"
-  advanced-security/javascript-sap-ui5-all: ${workspace}
+  advanced-security/javascript-sap-ui5-all: "^2.25.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls
diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml
@@ -7,6 +7,6 @@ dependencies:
   # no overlap occurs with the SAP UI5 queries. We therefore allow any version
   # greater than or equal to 1.2.0, as major breaking changes are not a concern.
   codeql/javascript-queries: ">1.2.0"
-  advanced-security/javascript-sap-ui5-queries: "2.25.0"
-  advanced-security/javascript-sap-ui5-models: "2.25.0"
-  advanced-security/javascript-sap-ui5-all: "2.25.0"
+  advanced-security/javascript-sap-ui5-queries: ${workspace}
+  advanced-security/javascript-sap-ui5-models: ${workspace}
+  advanced-security/javascript-sap-ui5-all: ${workspace}
diff --git a/javascript/frameworks/xsjs/src/qlpack.yml b/javascript/frameworks/xsjs/src/qlpack.yml
@@ -6,5 +6,5 @@ suites: codeql-suites
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.24"
-  advanced-security/javascript-sap-xsjs-all: "2.25.0"
+  advanced-security/javascript-sap-xsjs-all: ${workspace}
-  advanced-security/javascript-sap-xsjs-all: ${workspace}
+  advanced-security/javascript-sap-xsjs-all: "^2.25.0"
-  advanced-security/javascript-sap-xsjs-all: ${workspace}
+  advanced-security/javascript-sap-xsjs-all: "^2.25.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls
diff --git a/javascript/frameworks/xsjs/test/qlpack.yml b/javascript/frameworks/xsjs/test/qlpack.yml
@@ -4,6 +4,6 @@ version: 2.25.0
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.24"
-  advanced-security/javascript-sap-xsjs-queries: "2.25.0"
-  advanced-security/javascript-sap-xsjs-all: "2.25.0"
-  advanced-security/javascript-sap-xsjs-models: "2.25.0"
+  advanced-security/javascript-sap-xsjs-queries: ${workspace}
+  advanced-security/javascript-sap-xsjs-all: ${workspace}
+  advanced-security/javascript-sap-xsjs-models: ${workspace}
diff --git a/javascript/heuristic-models/tests/qlpack.yml b/javascript/heuristic-models/tests/qlpack.yml
@@ -5,4 +5,4 @@ version: 2.25.0
 extractor: javascript
 dependencies:
   "codeql/javascript-all": "^2.6.24"
-  "advanced-security/javascript-heuristic-models": "2.25.0"
+  "advanced-security/javascript-heuristic-models": ${workspace}
diff --git a/scripts/install-packs.sh b/scripts/install-packs.sh
@@ -92,7 +92,8 @@ install_framework() {
   echo "Installing packs for: ${framework_path}"
 
   # Find all qlpack.yml files under this framework and install their packs
-  find "${REPO_ROOT}/${framework_path}" -name "qlpack.yml" -type f | sort | while read -r qlpack_file; do
+  # Exclude .codeql directories which contain cached packs from previous installs
+  find "${REPO_ROOT}/${framework_path}" -name ".codeql" -prune -o -name "qlpack.yml" -type f -print | sort | while read -r qlpack_file; do
-  find "${REPO_ROOT}/${framework_path}" -name ".codeql" -prune -o -name "qlpack.yml" -type f -print | sort | while read -r qlpack_file; do
+  find "${REPO_ROOT}/${framework_path}" \( -type d -name ".codeql" -prune \) -o \( -name "qlpack.yml" -type f -print \) | sort | while read -r qlpack_file; do
-  find "${REPO_ROOT}/${framework_path}" -name ".codeql" -prune -o -name "qlpack.yml" -type f -print | sort | while read -r qlpack_file; do
+  find "${REPO_ROOT}/${framework_path}" \( -type d -name ".codeql" -prune \) -o \( -name "qlpack.yml" -type f -print \) | sort | while read -r qlpack_file; do
     local pack_dir
     pack_dir=$(dirname "${qlpack_file}")
     # Use relative path for cleaner output

diff --git a/scripts/upgrade-packs.sh b/scripts/upgrade-packs.sh
@@ -92,7 +92,8 @@ upgrade_framework() {
   echo "Upgrading packs for: ${framework_path}"
 
   # Find all qlpack.yml files under this framework and upgrade their packs
-  find "${REPO_ROOT}/${framework_path}" -name "qlpack.yml" -type f | sort | while read -r qlpack_file; do
+  # Exclude .codeql directories which contain cached packs from previous installs
+  find "${REPO_ROOT}/${framework_path}" -name ".codeql" -prune -o -name "qlpack.yml" -type f -print | sort | while read -r qlpack_file; do
-  find "${REPO_ROOT}/${framework_path}" -name ".codeql" -prune -o -name "qlpack.yml" -type f -print | sort | while read -r qlpack_file; do
+  find "${REPO_ROOT}/${framework_path}" \( -type d -name ".codeql" -prune \) -o \( -name "qlpack.yml" -type f -print \) | sort | while read -r qlpack_file; do
-  find "${REPO_ROOT}/${framework_path}" -name ".codeql" -prune -o -name "qlpack.yml" -type f -print | sort | while read -r qlpack_file; do
+  find "${REPO_ROOT}/${framework_path}" \( -type d -name ".codeql" -prune \) -o \( -name "qlpack.yml" -type f -print \) | sort | while read -r qlpack_file; do
     local pack_dir
     pack_dir=$(dirname "${qlpack_file}")
     # Use relative path for cleaner output