Add React missing useRef related constructs

[knewbury01]

adds the following:

• Add React Precallgraphstep useRef - this PreCallGraphStep is similar to the useState hook related one, but for the hook useRef.
• Add React DomValueSource that uses the ref from a dom. This may effect sources found for this query, and therefore the alerts found for that query.

[Copilot]

Pull Request Overview

Adds support for React's useRef hook by introducing a PreCallGraphStep for data flow tracking and a DomValueSource for DOM value detection. This enhancement improves taint tracking through useRef patterns.

• Added UseRefStep to model data flow from initial value through useRef to .current property access
• Added UseRefDomValueSource to identify DOM values accessed via useRef().current

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
javascript/ql/lib/semmle/javascript/frameworks/React.qll	Implements UseRefStep for data flow tracking and UseRefDomValueSource for DOM value detection
javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md	Documents the new features in the change notes

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The documentation incorrectly describes the return value as 'a pair of the initial state, and an object'. useRef returns only a single object with a current property, not a pair. Consider revising to: 'It returns an object with a single property (current) initialized to the initial value.'

Suggested change

	* It returns a pair of the initial state, and an object with a single property (current) potentially containing an input value.
	* It returns an object with a single property (`current`) initialized to the initial value.

[asgerf]

@knewbury01 could you accept this suggestion? It seems correct to me

[asgerf]

Waiting for another DCA run