I agree that we certainly don't want to be running this query by default on GitHub as it just duplicates what we already have.

However, wouldn't it be better to turn the query off rather than to delete it entirely?

We could also think about improving the query by for example checking for uses of the vulnerable API in conjunction with the package version?

We could also think about improving the query by for example checking for uses of the vulnerable API in conjunction with the package version?

We have an example of such a query for the special case of prototype pollution in JavaScript (https://github.com/github/codeql/blob/master/javascript/ql/src/Security/CWE-400/PrototypePollution.ql) and it is apparently massively popular with customers.

So it seems like adding an exclusion filter like https://github.com/github/codeql/blob/master/cpp/ql/src/codeql-suites/exclude-slow-queries.yml might be a good place to start? Would you prefer that?

As the less disruptive option I have opened #3736