Add change notes

Author: owen-mc

java/ql/lib/change-notes/2025-07-16-models-as-data-unsafe-deserialization-sinks.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* You can now add sinks for the query "Deserialization of user-controlled data" (`java/unsafe-deserialization`) using [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/#extensible-predicates-used-to-create-custom-models-in-java-and-kotlin) by extending `sinkModel` and using the kind "unsafe-deserialization". The existing sinks which do not require extra logic to determine if they are unsafe are now defined in this way.

java/ql/lib/change-notes/2025-07-16-unsafe-deserialization-sinks-deprecation.md

@@ -0,0 +1,8 @@
+---
+category: deprecated
+---
+* The module `semmle.code.java.frameworks.Castor` has been deprecated and will be removed in a future release, including its two classes `CastorUnmarshaller` and `CastorUnmarshalMethod`.
+* The module `semmle.code.java.frameworks.JYaml` has been deprecated and will be removed in a future release, including its two classes `JYamlLoader` and `JYamlLoaderUnsafeLoadMethod`.
+* The classes `UnsafeHessianInputReadObjectMethod` and `BurlapInputReadObjectMethod` in the module `semmle.code.java.frameworks.HessianBurlap` have been deprecated and will be removed in a future release.
+* The class `YamlBeansReaderReadMethod` in the module `semmle.code.java.frameworks.YamlBeans` has been deprecated and will be removed in a future release.
+* The class `MethodApacheSerializationUtilsDeserialize` in the module `semmle.code.java.frameworks.apache.Lang` has been deprecated and will be removed in a future release.