lgtm,codescanning
* A new query, `js/html-constructed-from-input`, has been added to the query suite,
  highlighting libraries that may leave clients vulnerable to cross-site-scripting attacks.