add change note

Author: erik-krogh

javascript/change-notes/2021-02-08-xml-parser-taint.md

@@ -0,0 +1,8 @@
+lgtm,codescanning
+* The security queries now track taint through XML parsers. 
+  Affected packages are
+    [xml2js](https://www.npmjs.com/package/xml2js) and
+    [sax](https://www.npmjs.com/package/sax) and
+    [xml-js](https://www.npmjs.com/package/xml-js) and
+    [htmlparser2](https://www.npmjs.com/package/htmlparser2) and
+    [node-expat](https://www.npmjs.com/package/node-expat)