diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75d1313371..4b0d604e36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,9 +4,15 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 4.35.3 - 01 May 2026
+
+- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
 - Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://github.com/github/codeql-action/pull/3850)
+- Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://github.com/github/codeql-action/pull/3853)
 - Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://github.com/github/codeql-action/pull/3852)
-- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
+- Update default CodeQL bundle version to [2.25.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://github.com/github/codeql-action/pull/3865)
 
 ## 4.35.2 - 15 Apr 2026
 
diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index e09612b2c4..7c1046ab3a 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -161813,7 +161813,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 372021fc29..f77401d3a4 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -106982,7 +106982,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -107918,8 +107918,8 @@ var path6 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js
index 6825745a32..8fdbf5fa64 100644
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -103787,7 +103787,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -104405,8 +104405,8 @@ var path5 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
diff --git a/lib/defaults.json b/lib/defaults.json
index cd7499eb29..91936465e4 100644
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.2",
-  "cliVersion": "2.25.2",
-  "priorBundleVersion": "codeql-bundle-v2.25.1",
-  "priorCliVersion": "2.25.1"
+  "bundleVersion": "codeql-bundle-v2.25.3",
+  "cliVersion": "2.25.3",
+  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorCliVersion": "2.25.2"
 }
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index e8dc72e0b5..b129fc9ae2 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -164923,7 +164923,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -165837,8 +165837,8 @@ var path6 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
diff --git a/lib/init-action.js b/lib/init-action.js
index cb2a6bc9ff..6acd2a5670 100644
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -104341,7 +104341,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -105458,8 +105458,8 @@ var path7 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js
index 87def4ccd3..efa88bd40f 100644
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -103795,7 +103795,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js
index a2699cb273..1d25f46c20 100644
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -103882,7 +103882,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -104246,8 +104246,8 @@ var path5 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 11e1e8a973..9cc3c099a9 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -161760,7 +161760,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index f218c32b93..ad8b42d02e 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -120992,7 +120992,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -121243,8 +121243,8 @@ var path = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/git-utils.ts
 var core6 = __toESM(require_core());
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 0d9ffc35e3..a0e9fc0c5f 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -106688,7 +106688,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -107526,8 +107526,8 @@ var fs5 = __toESM(require("fs"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 9f2fd24ebb..7415e2ba97 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -161760,7 +161760,7 @@ function getTemporaryDirectory() {
   return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 02f6c1fb3f..088eef3937 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -106716,7 +106716,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -107197,8 +107197,8 @@ var path5 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.25.2";
-var cliVersion = "2.25.2";
+var bundleVersion = "codeql-bundle-v2.25.3";
+var cliVersion = "2.25.3";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
diff --git a/package-lock.json b/package-lock.json
index 3c4bf9f050..5ff08deaff 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.35.3",
+  "version": "4.35.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.35.3",
+      "version": "4.35.4",
       "license": "MIT",
       "workspaces": [
         "pr-checks"
diff --git a/package.json b/package.json
index 4db28ae9f3..634bb953dc 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.35.3",
+  "version": "4.35.4",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
diff --git a/src/defaults.json b/src/defaults.json
index cd7499eb29..91936465e4 100644
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.25.2",
-  "cliVersion": "2.25.2",
-  "priorBundleVersion": "codeql-bundle-v2.25.1",
-  "priorCliVersion": "2.25.1"
+  "bundleVersion": "codeql-bundle-v2.25.3",
+  "cliVersion": "2.25.3",
+  "priorBundleVersion": "codeql-bundle-v2.25.2",
+  "priorCliVersion": "2.25.2"
 }