lgtm,codescanning
* The security queries now track flow through various `Promise` polyfills.
  Affected packages are
    [kew](https://npmjs.com/package/kew),
    [promise](https://npmjs.com/package/promise),
    [promise-polyfill](https://npmjs.com/package/promise-polyfill),
    [rsvp](https://npmjs.com/package/rsvp),
    [es6-promise](https://npmjs.com/package/es6-promise),
    [native-promise-only](https://npmjs.com/package/native-promise-only),
    [when](https://npmjs.com/package/when),
    [pinkie-promise](https://npmjs.com/package/pinkie-promise),
    [pinkie](https://npmjs.com/package/pinkie),
    [synchronous-promise](https://npmjs.com/package/synchronous-promise),
    [any-promise](https://npmjs.com/package/any-promise),
    [lie](https://npmjs.com/package/lie),
    [promise.allsettled](https://npmjs.com/package/promise.allsettled)