lgtm,codescanning
* The security queries now track taint through JWT decoding, and warns about hard-coded JWT signing keys.
  Affected packages are
    [jsonwebtoken](https://www.npmjs.com/package/jsonwebtoken) and
    [jwt-decode](https://www.npmjs.com/package/jwt-decode)