Bump github/codeql-action from 4.35.4 to 4.35.5

[dependabot]

Bumps github/codeql-action from 4.35.4 to 4.35.5.

Release notes

Sourced from github/codeql-action's releases.

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

Changelog

Sourced from github/codeql-action's changelog.

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

Commits

• 9e0d7b8 Merge pull request #3905 from github/update-v4.35.5-d4b485515
• 6d7d599 Add changelog entry for #3899
• 51f7e38 Update changelog for v4.35.5
• d4b4855 Merge pull request #3899 from github/mbg/esbuild/split
• 127de81 Merge remote-tracking branch 'origin/main' into mbg/esbuild/split
• 7fde13f Use src + basename in header to avoid issues on Windows
• dfa61e7 Improve pattern matching and error handling
• 52aafec Import and call runWrapper normally in analyze tests
• 0d08c01 Auto-generate shared bundle
• 14085a6 Auto-generate entry points
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
CI-only dependency patch with no changes to product code, auth, or data paths.

Overview
Bumps github/codeql-action from v4.35.4 to v4.35.5 in .github/workflows/codeql-analysis.yml for both the Initialize CodeQL (init) and Perform CodeQL Analysis (analyze) steps. No application or build script changes—only the pinned action versions used for scheduled and PR/push security scanning.

^{Reviewed by Cursor Bugbot for commit b2af06d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update and malware scan evidence for supply-chain risk.
Verdict: benign

Task 1: Supply-chain malware review

Scanner evidence: Status warn (warn-only), 0 unicode/confusable/IOC findings. The 1,047 heuristic hits are overwhelmingly false positives from the upstream bundle refactor, not compromise indicators.

Category	Assessment
Classic obfuscation	No new preinstall/postinstall scripts. Upstream package.json only changes version, devDep bumps, and removes a build helper step. Large lib/entry-points.js is expected: v4.35.5 refactors esbuild output into a shared bundle (#3899). shell_process_spawn / obfuscation_indicator hits are normal for CodeQL (@actions/exec, bundled crypto/XML libs).
Invisible Unicode / GlassWorm	0 post-allowlist unicode/confusable findings. codepoint_decoder hits (235) are routine charCodeAt/fromCodePoint in bundled HTTP/XML/crypto code — not hidden-payload assembly.
Dependency integrity	Legitimate patch bump 4.35.4 → 4.35.5 on official github/codeql-action with matching release tag/commits from github/* PRs. Runtime deps unchanged; lockfile adds only xml-naming (transitive). maintainer_drift is a version-bump marker, not publisher change.
Dependabot-specific	This repo’s PR only bumps version pins in .github/workflows/codeql-analysis.yml (init + analyze). No node_modules/ changes locally. Upstream workflow edits are in the upstream repo’s own CI, not injected into chiavdf.

Scanner vs. manual review: The scanner’s warn status overstates risk. network_c2_indicator matches are Azure dev-storage localhost strings and a SARIF schema GitHub URL. credential_exfil_indicator matches are CHANGELOG/docs/test text. typosquatting_indicator (466) is noise from minified bundle punctuation. None contradict a benign conclusion.

Action: Safe to merge from a supply-chain perspective.

---

Task 2: Compatibility and adoption

1) Where it’s used

Only in .github/workflows/codeql-analysis.yml:

      uses: github/codeql-action/init@v4.35.5
      with:
        languages: ${{ matrix.language }}
        # ...
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v4.35.5

Standard usage: init + custom build step + analyze, matrix languages cpp and python, triggered on push/PR to main and weekly schedule.

2) Intersection with changed upstream behavior

Release-note changes do not intersect with anything this repo configures:

• Bundle refactor (#3899): Internal packaging only; GitHub states no runtime behavior change.
• Incremental analysis gating (#3791): Affects PR incremental scans when diff-informed analysis is unavailable → falls back to full analysis. This repo does not set related inputs; it uses defaults.
• Overlay-base CLI caching (#3880): Experimental performance optimization; may change which CodeQL CLI version is selected, not workflow YAML contract.
• analysis-kinds (#3892): GitHub-internal experimental input — not used here.

No custom action inputs, query packs, or direct API usage that would break on entry-point restructuring.

3) Risks / unknowns

• PR scan duration: If diff ranges cannot be computed, PR CodeQL runs may do full analysis instead of incremental (slower, but more complete — documented upstream behavior).
• Bundle refactor: Low risk given upstream’s explicit “no runtime behavior change” claim; still worth confirming CodeQL CI passes on this PR.
• No app/runtime impact: This is CI-only; no effect on built artifacts or library consumers.

4) Recommendation: merge

Patch bump from the official GitHub-maintained action, minimal local diff, no suspicious upstream changes, and usage is standard. Merge after CodeQL workflow checks on PR #364 are green (merge-with-caveats only if CI hasn’t run yet).

Compatibility Analysis

Reviewing how github/codeql-action is used in the repo and comparing that with the v4.35.5 release changes.

Task 2: Compatibility & adoption analysis

1) Where it’s used

Single production usage site in this repo:

File	Actions	Inputs / pattern
.github/workflows/codeql-analysis.yml	init@v4.35.5, analyze@v4.35.5	Matrix: cpp, python; init only sets languages; manual build between init/analyze; checkout@v6 with fetch-depth: 0

Triggers: push/PR to main, weekly cron. No other repo workflows reference github/codeql-action (only .upstream-dependency/ and CI scan artifacts do).

2) Intersection with v4.35.5 changes

Release change	Touches this repo?
#3899 JS bundle refactor (~70% repo size reduction)	Indirect only — same init/analyze entry points; upstream states no runtime behavior change
#3791 Improved incremental analysis gated on diff-informed analysis	Partial — workflow runs on PRs; fetch-depth: 0 supports diff computation. May change PR scan performance/path, not inputs or APIs
#3892 analysis-kinds multi-input behavior	No — input not used
#3880 Overlay-base CLI preference (experimental, PR + incremental)	Partial — may affect PR scan duration on first runs; no config required

Not used (no intersection): analysis-kinds, private registries, upload-sarif, autobuild, custom queries/config, pinned tools bundle, GHES-specific features.

CodeQL CLI: 4.35.5 does not bump the default bundle (that stays at 2.25.4 from 4.35.4). This is an action-only patch.

3) Risks / unknowns

• Low: Bundle refactor could theoretically introduce a packaging regression; upstream explicitly targets no behavior change.
• Low: PR scans may run slightly longer or shorter due to incremental/overlay-base logic; fallback to full analysis is documented if diff ranges fail.
• None expected: No breaking API/input changes for standard init → build → analyze flows.
• Validation gap: Confirm the CodeQL workflow passes on this PR (it exercises the new action version directly).

4) Recommendation

Merge

Standard Dependabot patch bump with no config changes needed. Usage is minimal and does not hit internal-only or experimental inputs. After merge, a green CodeQL check on main/PR is sufficient validation; no follow-up workflow edits required unless you want to pin and audit bundle versions separately (not required for this bump).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 69
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 68bde559dea0fdcac2102bfdf6230c5f70eb485e..9e0d7b8d25671d64c341c19c0152d693099fb5ba
• Resolved refs: from=68bde559dea0fdcac2102bfdf6230c5f70eb485e to=9e0d7b8d25671d64c341c19c0152d693099fb5ba
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 1047

Top findings

• lib/entry-points.js:1128 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
• lib/entry-points.js:1150 codepoint_decoder :: const code = key.charCodeAt(index);
• lib/entry-points.js:1634 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• lib/entry-points.js:3091 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
• lib/entry-points.js:3697 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/entry-points.js:3699 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/entry-points.js:3779 codepoint_decoder :: while (lead < str2.length && predicate(str2.charCodeAt(lead))) lead++;
• lib/entry-points.js:3782 codepoint_decoder :: while (trail > 0 && predicate(str2.charCodeAt(trail))) trail--;
• lib/entry-points.js:4146 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
• lib/entry-points.js:4148 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
• lib/entry-points.js:4320 codepoint_decoder :: const code = url2.charCodeAt(i);
• lib/entry-points.js:4346 codepoint_decoder :: const c = statusText.charCodeAt(i);
• lib/entry-points.js:4900 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
• lib/entry-points.js:4913 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/entry-points.js:4927 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
• lib/entry-points.js:4940 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/entry-points.js:5039 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
• lib/entry-points.js:5048 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
• lib/entry-points.js:5387 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {
• lib/entry-points.js:5399 codepoint_decoder :: const cp = boundary.charCodeAt(i);