add change note

Author: pwntester

java/change-notes/2021-02-15-snakeyaml-fn-fix.md

@@ -0,0 +1,5 @@
+lgtm,codescanning
+* The query "Unsafe Deserialization" (`java/unsafe-deserialization`) has been
+  improved to report those cases where SnakeYaml `Constructor` is used to fix
+  the unmarshaled object graph root's type but injection is still possible in
+  nested nodes of the object graph.