The query "Deserialization of user-controlled data" (java/unsafe-deserialization) has been improved to recognize unsafe Apache Commons Lang(3) methods.
The SnakeYAML Unsafe Deserialization sink has been improved to recognize compose and composeAll unsafe methods.