Bump github/codeql-action from 4.35.1 to 4.35.2

[dependabot]

Bumps github/codeql-action from 4.35.1 to 4.35.2.

Release notes

Sourced from github/codeql-action's releases.

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Commits

• 95e58e9 Merge pull request #3824 from github/update-v4.35.2-d2e135a73
• 6f31bfe Update changelog for v4.35.2
• d2e135a Merge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.2
• 60abb65 Add changelog note
• 5a0a562 Update default bundle to codeql-bundle-v2.25.2
• 6521697 Merge pull request #3820 from github/dependabot/github_actions/dot-github/wor...
• 3c45af2 Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-minor-345b93...
• f1c3393 Rebuild
• 1024fc4 Rebuild
• 9dd4cfe Bump the npm-minor group across 1 directory with 6 updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk: this only updates the github/codeql-action version used in CI; the main impact is potential changes in CodeQL scanning behavior or findings.

Overview
Updates the CodeQL GitHub Actions workflow to use github/codeql-action v4.35.2 for both init and analyze, keeping the CI security scanning tooling up to date.

^{Reviewed by Cursor Bugbot for commit 696c652. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how CodeQL is referenced in the repo to ground the review.

Verdict: benign

Why this looks safe

• Identity / typosquatting: The action is github/codeql-action under the github org—the canonical CodeQL Action. The bump is 4.35.1 → 4.35.2 (patch), with a normal release and public tag range; nothing suggests a fake package or a leap to an unknown version.

• What your repo actually changes: In this tree, usage is only version pins on init and analyze in .github/workflows/codeql-analysis.yml (e.g. uses: github/codeql-action/init@v4.35.2 and analyze@v4.35.2). For a GitHub Actions dependency, editing the workflow to update uses: is expected, not a red flag like an unrelated workflow rewrite.

• Scanner vs. “malware”: The report is warn with 0 unicode, confusable, and IOC findings after allowlists. The huge heuristic count is dominated by codepoint_decoder hits on ordinary charCodeAt / similar uses in bundled JS (e.g. lib/upload-sarif-action.js)—typical noise, not evidence of invisible-Unicode or decoder-built payloads. Treat those heuristics as false positives for compromise in this context.

• Classic abuse signals: No evidence in your materials of obfuscated eval/exfil workflows, unexpected hosts in your PR, new npm lifecycle scripts in this repo, or node_modules/lockfile churn in chiavdf from this update (the upstream action ships its own build; you don’t vendor it here).

Actionable note (not security): If anyone relied on the undocumented CODEQL_ACTION_CLEANUP_TRAP_CACHES env var, upstream deprecates it (remove by May 2026); that’s operational, not supply-chain malware.

Bottom line: Merge from a supply-chain perspective is reasonable; the malware scan’s “warn” reflects noisy heuristics on normal JS, not a contradiction that points to compromise.

Compatibility Analysis

Gathering usage sites and workflow details for the CodeQL bump analysis.

1) Where it’s used

This repo: only in .github/workflows/codeql-analysis.yml — github/codeql-action/init@v4.35.2 and github/codeql-action/analyze@v4.35.2, with languages: ${{ matrix.language }} (cpp, python), full-history checkout, then a local build + pip wheel . before analyze.

Not project CI: matches under .upstream-dependency/ are the vendored upstream repo (tests/docs), not how chiavdf invokes the action.

---

2) Overlap with 4.35.2 changes

Release note item	Your workflow
CODEQL_ACTION_CLEANUP_TRAP_CACHES / trap-caching	Not used; no with: beyond languages.
Git ≥2.36 for incremental analysis	Only matters for submodule repos now; workflow has no submodule checkout options; no clear dependency.
Python on GHES (stdlib extraction)	N/A unless you run this same workflow on GHES.
OIDC / private registry validation fix	No private-registry / OIDC setup in this workflow.
Default bundle → 2.25.2	Applies — you get the new bundle implicitly; not an API change, but can shift findings.

So there is no use of deprecated env vars or niche inputs touched by these notes; the main real intersection is the bundled CodeQL version (possible alert diff).

---

3) Risks / unknowns

• Code scanning churn: new bundle may add/remove/refine cpp/python alerts (expected, not a build break).
• First run after merge: confirm the CodeQL job is green; if you gate on “no new alerts,” expect possible noise.
• GHES: only relevant if you also run this workflow there; then you’d see the Python behavior change described in the notes.

---

4) Recommendation

Merge — patch bump on official actions, usage is minimal (init + analyze, default options), and nothing in the release notes maps to a breaking or misconfigured integration in this workflow. Treat alert count changes as the main thing to watch, not runtime compatibility.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 65
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: c10b8064de6f491fea524254123dbe5e09572f13..95e58e9a2cdfd71adc6e0353d5c52f41a045d225
• Resolved refs: from=c10b8064de6f491fea524254123dbe5e09572f13 to=95e58e9a2cdfd71adc6e0353d5c52f41a045d225
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 12475

Top findings

• src/git-utils.ts:213 codepoint_decoder :: // Both String.fromCharCode() and String.fromCodePoint() works only
• lib/upload-sarif-action.js:1112 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
• lib/upload-sarif-action.js:1134 codepoint_decoder :: const code = key.charCodeAt(index);
• lib/upload-sarif-action.js:1618 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• lib/upload-sarif-action.js:3066 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
• lib/upload-sarif-action.js:3672 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/upload-sarif-action.js:3674 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/upload-sarif-action.js:3754 codepoint_decoder :: while (lead < str2.length && predicate(str2.charCodeAt(lead))) lead++;
• lib/upload-sarif-action.js:3757 codepoint_decoder :: while (trail > 0 && predicate(str2.charCodeAt(trail))) trail--;
• lib/upload-sarif-action.js:4121 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
• lib/upload-sarif-action.js:4123 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
• lib/upload-sarif-action.js:4295 codepoint_decoder :: const code = url2.charCodeAt(i);
• lib/upload-sarif-action.js:4321 codepoint_decoder :: const c = statusText.charCodeAt(i);
• lib/upload-sarif-action.js:4875 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
• lib/upload-sarif-action.js:4888 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/upload-sarif-action.js:4902 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
• lib/upload-sarif-action.js:4915 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/upload-sarif-action.js:5014 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
• lib/upload-sarif-action.js:5023 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
• lib/upload-sarif-action.js:5362 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {