lgtm,codescanning
* URIs used in the [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch) library are now recognized as sinks for `js/request-forgery`.
  Affected packages are
    [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch)