lgtm,codescanning
* The query "Deserialization of user-controlled data" (`java/unsafe-deserialization`) has been improved to recognize unsafe Apache Commons Lang(3) methods.
* The SnakeYAML Unsafe Deserialization sink has been improved to recognize `compose` and `composeAll` unsafe methods.