add which commands are flagged in the change-note

Author: erik-krogh

javascript/ql/src/change-notes/2022-09-05-second-order-command-injection.md

@@ -4,3 +4,4 @@ category: newQuery
 * Added a new query, `js/second-order-command-line-injection`, to detect shell
   commands that may execute arbitrary code when the user has control over 
   the arguments to a command-line program.
+  This currently flags up unsafe invocations of git and hg.