I'm a bit unsure about the way in which these sentences are formulated. They read more like commit messages than change notes. Perhaps one could rewrite this as e.g.

• The class ParameterNode now extends LocalSourceNode, thus making methods like flowsTo available.
• Local taint tracking can now be performed using the taintFlowsTo method on the LocalSourceNode class.

and so on...

I like that direction..

This warning seems annoying. Is there anything blocking us from just adding a private import TaintTrackingPublic? -- which would make things work out of the box

Indeed that imports all the concepts and actually changes test output (because all classes are also django helper classes).

I have opened the relevant can of worms on slack...

actually changes test output (because all classes are also django helper classes).

What output is changed? (what tests are we talking about)

We talked about this face-to-face. This approach had been taken previously, and the test changes can be seen in changes from b3ff3f7 (where suddenly, classes are also treated as DjangoViewClassHelper when using getAQlClass). This stems from the fact that as part of impoty python we also privately import the dataflow library

, and with this change, we privately bring the taint tracking library into scope, which transitively brings all our framework modeling into scope.

@yoff and I talked a bit about the fact that importing taint-tracking would also import all external library models, so that all concrete subclasses of AdditionalTaintStep would also be in scope, following the advice in https://github.com/github/codeql/blob/main/docs/ql-design-patterns.md#importing-all-subclasses-of-a-class (that arguably, I wrote myself).

In the end, we opted for making getALocalTaintSource just works out of the box without having to remember to import something manually yourself.