codeql/javascript/change-notes/2021-03-15-client-side-remote-flow-sources.md

lgtm,codescanning

• The security queries now distinguish more clearly between different parts of window.location. When the taint source of an alert is based on window.location, the source will usually occur closer to where user-controlled data is obtained, such as at location.hash.
• js/request-forgery no longer considers client-side path parameters to be a source due to the restricted character set usable in a path, resulting in fewer false-positive results.