Sourced from github/codeql-action's releases.

v4.36.2

• Cache CodeQL CLI version information across Actions steps. #3943
• Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
• Update default CodeQL bundle version to 2.25.6. #3948

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.2 - 04 Jun 2026

• Cache CodeQL CLI version information across Actions steps. #3943
• Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
• Update default CodeQL bundle version to 2.25.6. #3948

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

... (truncated)

• 8aad20d Merge pull request #3949 from github/update-v4.36.2-dcb947ce1
• f521b08 Add additional changelog notes
• 8aeff0f Update changelog for v4.36.2
• dcb947c Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
• c251bce Add changelog note
• 62953c1 Update default bundle to codeql-bundle-v2.25.6
• 423b570 Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...
• c35d1b1 Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...
• cb1a588 Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoff
• ba47406 Merge pull request #3943 from github/henrymercer/cache-cli-version-info
• Additional commits viewable in compare view

Sourced from pypa/cibuildwheel's releases.

v4.0.0

See @​henryiii's release post for more info on new features!

• 🌟 Adds wheel auditing with abi3audit as a default after the repair step, with new audit-requires and audit-command options (#2805)

• 🌟 Adds pyemscripten platform tag support (PEP 783), updates Pyodide to 314.0.0a2, and adds a pyodide-eol enable flag for building end-of-life Pyodide versions (#2812, #2848)

• 🌟 Sets up delvewheel as the default repair-wheel-command for Windows, so extension module DLLs are now bundled automatically. Skip by setting it to empty if not needed. (#2831)

• ✨ Adds CPython 3.15 support, under the enable option cpython-prerelease. This version of cibuildwheel uses 3.15.0b2. (#2833, #2850)

  While CPython is in beta, the ABI can change, so your wheels might not be compatible with the final release. For this reason, we don't recommend distributing wheels until RC1, at which point 3.15 will be available in cibuildwheel without the flag.

• ✨ Adds CPython 3.15 support for iOS and Android (#2857, #2858)

• ✨ Adds Android improvements for building NumPy and related packages, including auditwheel support, pkg-config and Fortran configuration, and the xbuild-files option (#2695)

• ✨ Adds CIBUILDWHEEL_BUILD_IDENTIFIER environment variable set to the current build identifier (e.g. cp311-manylinux_x86_64) during per-build steps (#2872)

• ✨ Adds {project} and {package} placeholders to config-settings (#2827)

• ⚠️ Drops support for Python 3.8 (#2686)

• ⚠️ Removes the experimental CPython 3.13 free-threading builds and the cpython-freethreading enable option. CPython 3.14+ free-threading support remains available without the enable flag. (#2684)

• ⚠️ Drops support for Cirrus CI, which is shutting down June 1, 2026 (#2817)

• ⚠️ Drops GraalPy 3.11 (gp311) support, as agreed in #2741, and removes GraalPy 24-only workarounds (#2895)

• 🔐 Adds SHA256 verification for direct downloads of Python interpreters, virtualenv, and python-build-standalone assets (#2873)

• 🔐 Adds tarfile extraction filter for safe archive extraction (#2856)

• 🐛 Fixes UV_PYTHON not being set for before-build on Linux when using uv as the build-frontend (#2830)

• 🐛 Fixes detection of musl libc when downloading python-build-standalone, which previously always selected the gnu asset on musl hosts like Alpine (#2889)

• 🐛 Fixes config-settings expansion when {project} or {package} contains spaces or backslashes (#2886)

• 🐛 Prevents deadlock when linux32 fails and forwards platform args to the sanity check (#2880, #2888)

• 🐛 Fixes container resource leaks on start failure and during teardown (#2879, #2887)

• 🐛 Removes potential partial cache-population in case of error (#2892)

• 🐛 Raises a clear error when ANDROID_API_LEVEL is not an integer (#2891)

• 🐛 Replaces assert with proper exception in python-build-standalone (#2859)

• 🐛 Uses ConfigurationError when package_dir is outside cwd instead of a generic Exception (#2898)

• 🛠 Updates dependencies and container pins (#2893, #2882, #2874, #2868, #2862, #2884, #2845, #2837, #2818, #2810, #2838, #2813)

• 🛠 Updates Android to Python 3.13.13 and 3.14.4 (#2821)

• 🛠 Applies Pyodide-specific patches to the Emscripten toolchain installation (#2800)

• 🛠 Uses python -V -V for Windows build diagnostics (#2832)

• 🛠 Simplifies pinned container image lookup (#2897)

• 🛠 Minor fixups across error messages, OCI container, and options (#2860)

• 💼 Adds PEP 723 metadata for bin/ scripts and drops the bin dependency group (#2819)

• 💼 Improves Azure test reliability with retries and caching (#2890)

• 💼 Fixes Windows GitLab CI test running (#2870)

• 💼 Updates CI action pins and dev dependencies (#2902, #2867, #2851, #2843, #2826, #2823, #2820, #2807)

• 💼 Adds agent and copilot setup files (#2861)

• 💼 Uses if TYPE_CHECKING: blocks (#2866, #2864)

• 🧪 Fixes Android tests using the uv frontend (#2809)

• 🧪 Fixes the update-dependencies workflow to use uv to run nox (#2808)

• 🧪 Adds unit tests for OCIContainer._get_platform_args (#2878)

• 📚 Updates documentation for delvewheel as the default Windows repair-wheel-command, including the build diagram, schema defaults, and legal note (#2877, #2853, #2891)

• 📚 Documents platform-specific before-build configuration (#2834)

• 📚 Updates the "How it works" diagram with details of Android, iOS, and Pyodide builds (#2816)

• 📚 Adds Pyodide icon and regenerates working examples data for Android, iOS, and Pyodide (#2815, #2811)

• 📚 Adds intersphinx support for external documentation linking (#2871)

• 📚 Adds instructions for building CUDA wheels and fixes manylinux container references in FAQ (#2896, #2900)

... (truncated)

Sourced from pypa/cibuildwheel's changelog.

---

title: Changelog ref: changelog

Changelog

v4.1.0

12 June 2026

• ✨ Updates Pyodide to the final 314.0.0 release, so Pyodide 3.14 wheels now build by default without the pyodide-prerelease enable flag. (#2906)
• 🐛 Raises clear errors when a build produces no wheel, instead of failing later with a confusing message (#2909)
• 🛠 Speeds up CLI startup through lazy imports on Python 3.15 (#2797)
• 📚 Adds an FAQ section on caching cibuildwheel's downloaded tools with CIBW_CACHE_PATH (#2842)
• 📚 Documentation improvements: clarifies which shell is used for command options, clarifies environment variable precedence, and fixes a dead Pyodide env info link (#2904, #2905, #2911)

v4.0.0

7 June 2026

See @​henryiii's release post for more info on new features!

• 🌟 Adds wheel auditing with abi3audit as a default after the repair step, with new audit-requires and audit-command options (#2805)

• 🌟 Adds pyemscripten platform tag support (PEP 783), updates Pyodide to 314.0.0a2, and adds a pyodide-eol enable flag for building end-of-life Pyodide versions (#2812, #2848)

• 🌟 Sets up delvewheel as the default repair-wheel-command for Windows, so extension module DLLs are now bundled automatically. Skip by setting it to empty if not needed. (#2831)

• ✨ Adds CPython 3.15 support, under the enable option cpython-prerelease. This version of cibuildwheel uses 3.15.0b2. (#2833, #2850)

  While CPython is in beta, the ABI can change, so your wheels might not be compatible with the final release. For this reason, we don't recommend distributing wheels until RC1, at which point 3.15 will be available in cibuildwheel without the flag.

• ✨ Adds CPython 3.15 support for iOS and Android (#2857, #2858)

• ✨ Adds Android improvements for building NumPy and related packages, including auditwheel support, pkg-config and Fortran configuration, and the xbuild-files option (#2695)

• ✨ Adds CIBUILDWHEEL_BUILD_IDENTIFIER environment variable set to the current build identifier (e.g. cp311-manylinux_x86_64) during per-build steps (#2872)

• ✨ Adds {project} and {package} placeholders to config-settings (#2827)

• ⚠️ Drops support for Python 3.8 (#2686)

• ⚠️ Removes the experimental CPython 3.13 free-threading builds and the cpython-freethreading enable option. CPython 3.14+ free-threading support remains available without the enable flag. (#2684)

• ⚠️ Drops support for Cirrus CI, which is shutting down June 1, 2026 (#2817)

• ⚠️ Drops GraalPy 3.11 (gp311) support, as agreed in #2741, and removes GraalPy 24-only workarounds (#2895)

• 🔐 Adds SHA256 verification for direct downloads of Python interpreters, virtualenv, and python-build-standalone assets (#2873)

• 🔐 Adds tarfile extraction filter for safe archive extraction (#2856)

• 🐛 Fixes UV_PYTHON not being set for before-build on Linux when using uv as the build-frontend (#2830)

• 🐛 Fixes detection of musl libc when downloading python-build-standalone, which previously always selected the gnu asset on musl hosts like Alpine (#2889)

• 🐛 Fixes config-settings expansion when {project} or {package} contains spaces or backslashes (#2886)

• 🐛 Prevents deadlock when linux32 fails and forwards platform args to the sanity check (#2880, #2888)

• 🐛 Fixes container resource leaks on start failure and during teardown (#2879, #2887)

• 🐛 Removes potential partial cache-population in case of error (#2892)

• 🐛 Raises a clear error when ANDROID_API_LEVEL is not an integer (#2891)

• 🐛 Replaces assert with proper exception in python-build-standalone (#2859)

• 🐛 Uses ConfigurationError when package_dir is outside cwd instead of a generic Exception (#2898)

• 🛠 Updates dependencies and container pins (#2893, #2882, #2874, #2868, #2862, #2884, #2845, #2837, #2818, #2810, #2838, #2813)

... (truncated)

• f03ac76 Bump version: v4.0.0
• 557c5f6 feat: remove GraalPy 3.11 (gp311) support (#2895)
• 70975c2 chore: use ConfigurationError when package_dir is outside cwd (#2898)
• e2f143c chore(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0 in the actions...
• 866ae74 docs: fix CUDA manylinux container references in FAQ (#2900)
• 84b518a chore: simplify pinned image lookup (#2897)
• 785d812 docs: add instructions for building CUDA wheels (#2896)
• f6bd047 Bump version: v4.0.0rc2
• 6cd2d19 fix: remove potential partial cache-population in case of error (#2892)
• cdb170b [Bot] Update dependencies (#2893)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions