Merge branch 'main' into jcogs33/shared-sink-kind-validation

2025-12-22 11:46:32 +01:00 · 2023-06-14 08:06:34 -04:00
parent 9abe3e3da4 afec9b05e9
commit 35591113c2
893 changed files with 16779 additions and 17965 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
@@ -166,6 +166,3 @@ abstract class AtmConfig extends JS::TaintTracking::Configuration {
    )
  }
 }
-
-/** DEPRECATED: Alias for AtmConfig */
-deprecated class ATMConfig = AtmConfig;
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll
@@ -41,9 +41,6 @@ AstNode getAnAstNodeToFeaturize(Function f) {
  not result = f.getIdentifier()
 }

-/** DEPRECATED: Alias for getAnAstNodeToFeaturize */
-deprecated ASTNode getAnASTNodeToFeaturize(Function f) { result = getAnAstNodeToFeaturize(f) }
-
 /**
 * Gets a function that contains the endpoint.
 *
@@ -130,9 +127,6 @@ AstNode getAnAstNodeWithAFeature(Function f) {
  result = getAnAstNodeToFeaturize(f)
 }

-/** DEPRECATED: Alias for getAnAstNodeWithAFeature */
-deprecated ASTNode getAnASTNodeWithAFeature(Function f) { result = getAnAstNodeWithAFeature(f) }
-
 /** Returns the number of source-code characters in a function. */
 int getNumCharsInFunction(Function f) {
  result =
--- a/javascript/ql/lib/Expressions/DOMProperties.qll
+++ b/javascript/ql/lib/Expressions/DOMProperties.qll
@@ -4,9 +4,6 @@

 import semmle.javascript.Externs

-/** DEPRECATED: Alias for isDomRootType */
-deprecated predicate isDOMRootType = isDomRootType/1;
-
 /** Holds if `p` is declared as a property of a DOM class or interface. */
 pragma[nomagic]
 predicate isDomProperty(string p) {
@@ -14,6 +11,3 @@ predicate isDomProperty(string p) {
    isDomRootType(emd.getDeclaringType().getASupertype*())
  )
 }
-
-/** DEPRECATED: Alias for isDomProperty */
-deprecated predicate isDOMProperty = isDomProperty/1;
--- a/javascript/ql/lib/change-notes/2023-04-19-typescript-5-1.md
+++ b/javascript/ql/lib/change-notes/2023-04-19-typescript-5-1.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for TypeScript 5.1.
--- a/javascript/ql/lib/change-notes/2023-06-02-delete-deps.md
+++ b/javascript/ql/lib/change-notes/2023-06-02-delete-deps.md
@@ -0,0 +1,10 @@
+---
+category: minorAnalysis
+---
+* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
+* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
+* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
+* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
+* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
+* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
--- a/javascript/ql/lib/semmle/javascript/AST.qll
+++ b/javascript/ql/lib/semmle/javascript/AST.qll
@@ -184,9 +184,6 @@ class AstNode extends @ast_node, NodeInStmtContainer {
  }
 }

-/** DEPRECATED: Alias for AstNode */
-deprecated class ASTNode = AstNode;
-
 /**
 * Holds if the given file is a `.d.ts` file.
 */
@@ -339,9 +336,6 @@ class EventHandlerCode extends @event_handler, CodeInAttribute { }
 */
 class JavaScriptUrl extends @javascript_url, CodeInAttribute { }

-/** DEPRECATED: Alias for JavaScriptUrl */
-deprecated class JavaScriptURL = JavaScriptUrl;
-
 /**
 * A toplevel syntactic entity containing Closure-style externs definitions.
 *
--- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -636,9 +636,6 @@ module API {

    /** Gets an API-node for this entry point. */
    API::Node getANode() { result = root().getASuccessor(Label::entryPoint(this)) }
-
-    /** DEPRECATED. Use `getANode()` instead. */
-    deprecated API::Node getNode() { result = this.getANode() }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/DefUse.qll
+++ b/javascript/ql/lib/semmle/javascript/DefUse.qll
@@ -243,71 +243,3 @@ class VarUse extends ControlFlowNode, @varref instanceof RValue {
   */
  SsaVariable getSsaVariable() { result.getAUse() = this }
 }
-
-/**
- * Holds if the definition of `v` in `def` reaches `use` along some control flow path
- * without crossing another definition of `v`.
- * DEPRECATED: Use the `SSA.qll` library instead.
- */
-deprecated predicate definitionReaches(Variable v, VarDef def, VarUse use) {
-  v = use.getVariable() and
-  exists(BasicBlock bb, int i, int next | next = nextDefAfter(bb, v, i, def) |
-    exists(int j | j in [i + 1 .. next - 1] | bb.useAt(j, v, use))
-    or
-    exists(BasicBlock succ | succ = bb.getASuccessor() |
-      succ.isLiveAtEntry(v, use) and
-      next = bb.length()
-    )
-  )
-}
-
-/**
- * Holds if the definition of local variable `v` in `def` reaches `use` along some control flow path
- * without crossing another definition of `v`.
- * DEPRECATED: Use the `SSA.qll` library instead.
- */
-deprecated predicate localDefinitionReaches(LocalVariable v, VarDef def, VarUse use) {
-  exists(SsaExplicitDefinition ssa |
-    ssa.defines(def, v) and
-    ssa = getAPseudoDefinitionInput*(use.getSsaVariable().getDefinition())
-  )
-}
-
-/**
- * Holds if `nd` is a pseudo-definition and the result is one of its inputs.
- * DEPRECATED: Use the `SSA.qll` library instead.
- */
-deprecated private SsaDefinition getAPseudoDefinitionInput(SsaDefinition nd) {
-  result = nd.(SsaPseudoDefinition).getAnInput()
-}
-
-/**
- * Holds if `d` is a definition of `v` at index `i` in `bb`, and the result is the next index
- * in `bb` after `i` at which the same variable is defined, or `bb.length()` if there is none.
- */
-deprecated private int nextDefAfter(BasicBlock bb, Variable v, int i, VarDef d) {
-  bb.defAt(i, v, d) and
-  result =
-    min(int jj |
-      (bb.defAt(jj, v, _) or jj = bb.length()) and
-      jj > i
-    )
-}
-
-/**
- * Holds if the `later` definition of `v` could overwrite its `earlier` definition.
- *
- * This is the case if there is a path from `earlier` to `later` that does not cross
- * another definition of `v`.
- * DEPRECATED: Use the `SSA.qll` library instead.
- */
-deprecated predicate localDefinitionOverwrites(LocalVariable v, VarDef earlier, VarDef later) {
-  exists(BasicBlock bb, int next | next = nextDefAfter(bb, v, _, earlier) |
-    bb.defAt(next, v, later)
-    or
-    exists(BasicBlock succ | succ = bb.getASuccessor() |
-      succ.localMayBeOverwritten(v, later) and
-      next = bb.length()
-    )
-  )
-}
--- a/javascript/ql/lib/semmle/javascript/E4X.qll
+++ b/javascript/ql/lib/semmle/javascript/E4X.qll
@@ -16,9 +16,6 @@ module E4X {
   */
  class XmlAnyName extends Expr, @e4x_xml_anyname { }

-  /** DEPRECATED: Alias for XmlAnyName */
-  deprecated class XMLAnyName = XmlAnyName;
-
  /**
   * An E4X qualified identifier.
   *
@@ -57,9 +54,6 @@ module E4X {
    }
  }

-  /** DEPRECATED: Alias for XmlQualifiedIdentifier */
-  deprecated class XMLQualifiedIdentifier = XmlQualifiedIdentifier;
-
  /**
   * An E4X attribute selector.
   *
@@ -89,9 +83,6 @@ module E4X {
    }
  }

-  /** DEPRECATED: Alias for XmlAttributeSelector */
-  deprecated class XMLAttributeSelector = XmlAttributeSelector;
-
  /**
   * An E4X filter expression.
   *
@@ -117,9 +108,6 @@ module E4X {
    }
  }

-  /** DEPRECATED: Alias for XmlFilterExpression */
-  deprecated class XMLFilterExpression = XmlFilterExpression;
-
  /**
   * An E4X "dot-dot" expression.
   *
@@ -144,7 +132,4 @@ module E4X {
      result = this.getBase().getFirstControlFlowNode()
    }
  }
-
-  /** DEPRECATED: Alias for XmlDotDotExpression */
-  deprecated class XMLDotDotExpression = XmlDotDotExpression;
 }
--- a/javascript/ql/lib/semmle/javascript/JSON.qll
+++ b/javascript/ql/lib/semmle/javascript/JSON.qll
@@ -61,9 +61,6 @@ class JsonValue extends @json_value, Locatable {
  override string getAPrimaryQlClass() { result = "JsonValue" }
 }

-/** DEPRECATED: Alias for JsonValue */
-deprecated class JSONValue = JsonValue;
-
 /**
 * A JSON-encoded primitive value.
 *
@@ -85,9 +82,6 @@ abstract class JsonPrimitiveValue extends JsonValue {
  string getRawValue() { json_literals(_, result, this) }
 }

-/** DEPRECATED: Alias for JsonPrimitiveValue */
-deprecated class JSONPrimitiveValue = JsonPrimitiveValue;
-
 /**
 * A JSON-encoded null value.
 *
@@ -101,9 +95,6 @@ class JsonNull extends @json_null, JsonPrimitiveValue {
  override string getAPrimaryQlClass() { result = "JsonNull" }
 }

-/** DEPRECATED: Alias for JsonNull */
-deprecated class JSONNull = JsonNull;
-
 /**
 * A JSON-encoded Boolean value.
 *
@@ -118,9 +109,6 @@ class JsonBoolean extends @json_boolean, JsonPrimitiveValue {
  override string getAPrimaryQlClass() { result = "JsonBoolean" }
 }

-/** DEPRECATED: Alias for JsonBoolean */
-deprecated class JSONBoolean = JsonBoolean;
-
 /**
 * A JSON-encoded number.
 *
@@ -135,9 +123,6 @@ class JsonNumber extends @json_number, JsonPrimitiveValue {
  override string getAPrimaryQlClass() { result = "JsonNumber" }
 }

-/** DEPRECATED: Alias for JsonNumber */
-deprecated class JSONNumber = JsonNumber;
-
 /**
 * A JSON-encoded string value.
 *
@@ -151,9 +136,6 @@ class JsonString extends @json_string, JsonPrimitiveValue {
  override string getAPrimaryQlClass() { result = "JsonString" }
 }

-/** DEPRECATED: Alias for JsonString */
-deprecated class JSONString = JsonString;
-
 /**
 * A JSON-encoded array.
 *
@@ -170,9 +152,6 @@ class JsonArray extends @json_array, JsonValue {
  string getElementStringValue(int i) { result = this.getElementValue(i).getStringValue() }
 }

-/** DEPRECATED: Alias for JsonArray */
-deprecated class JSONArray = JsonArray;
-
 /**
 * A JSON-encoded object.
 *
@@ -189,9 +168,6 @@ class JsonObject extends @json_object, JsonValue {
  string getPropStringValue(string name) { result = this.getPropValue(name).getStringValue() }
 }

-/** DEPRECATED: Alias for JsonObject */
-deprecated class JSONObject = JsonObject;
-
 /**
 * An error reported by the JSON parser.
 */
@@ -200,6 +176,3 @@ class JsonParseError extends @json_parse_error, Error {

  override string getMessage() { json_errors(this, result) }
 }
-
-/** DEPRECATED: Alias for JsonParseError */
-deprecated class JSONParseError = JsonParseError;
--- a/javascript/ql/lib/semmle/javascript/JSX.qll
+++ b/javascript/ql/lib/semmle/javascript/JSX.qll
@@ -30,9 +30,6 @@ class JsxNode extends Expr, @jsx_element {
  override string getAPrimaryQlClass() { result = "JsxNode" }
 }

-/** DEPRECATED: Alias for JsxNode */
-deprecated class JSXNode = JsxNode;
-
 /**
 * A JSX element.
 *
@@ -81,9 +78,6 @@ class JsxElement extends JsxNode {
  deprecated predicate isHTMLElement() { this.isHtmlElement() }
 }

-/** DEPRECATED: Alias for JsxElement */
-deprecated class JSXElement = JsxElement;
-
 /**
 * A JSX fragment.
 *
@@ -105,9 +99,6 @@ class JsxFragment extends JsxNode {
  override string getAPrimaryQlClass() { result = "JsxFragment" }
 }

-/** DEPRECATED: Alias for JsxFragment */
-deprecated class JSXFragment = JsxFragment;
-
 /**
 * An attribute of a JSX element, including spread attributes.
 *
@@ -154,9 +145,6 @@ class JsxAttribute extends AstNode, @jsx_attribute {
  override string getAPrimaryQlClass() { result = "JsxAttribute" }
 }

-/** DEPRECATED: Alias for JsxAttribute */
-deprecated class JSXAttribute = JsxAttribute;
-
 /**
 * A spread attribute of a JSX element.
 *
@@ -175,9 +163,6 @@ class JsxSpreadAttribute extends JsxAttribute {
  }
 }

-/** DEPRECATED: Alias for JsxSpreadAttribute */
-deprecated class JSXSpreadAttribute = JsxSpreadAttribute;
-
 /**
 * A namespace-qualified name such as `n:a`.
 *
@@ -201,9 +186,6 @@ class JsxQualifiedName extends Expr, @jsx_qualified_name {
  override string getAPrimaryQlClass() { result = "JsxQualifiedName" }
 }

-/** DEPRECATED: Alias for JsxQualifiedName */
-deprecated class JSXQualifiedName = JsxQualifiedName;
-
 /**
 * A name of an JSX element or attribute (which is
 * always an identifier, a dot expression, or a qualified
@@ -244,9 +226,6 @@ class JsxName extends Expr {
  }
 }

-/** DEPRECATED: Alias for JsxName */
-deprecated class JSXName = JsxName;
-
 /**
 * An interpolating expression that interpolates nothing.
 *
@@ -260,9 +239,6 @@ class JsxEmptyExpr extends Expr, @jsx_empty_expr {
  override string getAPrimaryQlClass() { result = "JsxEmptyExpr" }
 }

-/** DEPRECATED: Alias for JsxEmptyExpr */
-deprecated class JSXEmptyExpr = JsxEmptyExpr;
-
 /**
 * A legacy `@jsx` pragma.
 *
@@ -284,6 +260,3 @@ class JsxPragma extends JSDocTag {
  /** DEPRECATED: Alias for getDomName */
  deprecated string getDOMName() { result = this.getDomName() }
 }
-
-/** DEPRECATED: Alias for JsxPragma */
-deprecated class JSXPragma = JsxPragma;
--- a/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll
+++ b/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll
@@ -77,6 +77,3 @@ class PrettyJsonTaintStep extends TaintTracking::SharedTaintStep {
    )
  }
 }
-
-/** DEPRECATED: Alias for PrettyJsonTaintStep */
-deprecated class PrettyJSONTaintStep = PrettyJsonTaintStep;
--- a/javascript/ql/lib/semmle/javascript/NPM.qll
+++ b/javascript/ql/lib/semmle/javascript/NPM.qll
@@ -262,9 +262,6 @@ class PackageJson extends JsonObject {
  Module getTypingsModule() { result.getFile() = this.getTypingsFile() }
 }

-/** DEPRECATED: Alias for PackageJson */
-deprecated class PackageJSON = PackageJson;
-
 /**
 * A representation of bug tracker information for an NPM package.
 */
@@ -370,9 +367,6 @@ class NpmPackage extends @folder {
  /** Gets the `package.json` object of this package. */
  PackageJson getPackageJson() { result = pkg }

-  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJSON getPackageJSON() { result = this.getPackageJson() }
-
  /** Gets the name of this package. */
  string getPackageName() { result = this.getPackageJson().getPackageName() }

@@ -411,9 +405,6 @@ class NpmPackage extends @folder {
  predicate declaresDependency(string p, string v) { pkg.declaresDependency(p, v) }
 }

-/** DEPRECATED: Alias for NpmPackage */
-deprecated class NPMPackage = NpmPackage;
-
 /**
 * Gets the parent folder of `c`, provided that they belong to the same NPM
 * package; that is, `c` must not be a `node_modules` folder.
--- a/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
@@ -198,7 +198,7 @@ class MainModulePath extends PathExpr, @json_string {
  }

  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJSON getPackageJSON() { result = this.getPackageJson() }
+  deprecated PackageJson getPackageJSON() { result = this.getPackageJson() }

  override string getValue() { result = this.(JsonString).getValue() }

@@ -259,7 +259,7 @@ private class FilesPath extends PathExpr, @json_string {
  PackageJson getPackageJson() { result = pkg }

  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJSON getPackageJSON() { result = this.getPackageJson() }
+  deprecated PackageJson getPackageJSON() { result = this.getPackageJson() }

  override string getValue() { result = this.(JsonString).getValue() }

--- a/javascript/ql/lib/semmle/javascript/PrintAst.qll
+++ b/javascript/ql/lib/semmle/javascript/PrintAst.qll
@@ -391,9 +391,6 @@ private module PrintJavaScript {
    }
  }

-  /** DEPRECATED: Alias for JsxNodeNode */
-  deprecated class JSXNodeNode = JsxNodeNode;
-
  /**
   * An aggregate node representing all the attributes in a `JSXNode`.
   */
@@ -409,17 +406,11 @@ private module PrintJavaScript {
     */
    JsxElement getJsxElement() { result = n }

-    /** DEPRECATED: Alias for getJsxElement */
-    deprecated JSXElement getJSXElement() { result = this.getJsxElement() }
-
    override PrintAstNode getChild(int childIndex) {
      result.(ElementNode).getElement() = n.getAttribute(childIndex)
    }
  }

-  /** DEPRECATED: Alias for JsxAttributesNode */
-  deprecated class JSXAttributesNode = JsxAttributesNode;
-
  /**
   * An aggregate node representing all the body elements in a `JSXNode`.
   */
@@ -435,17 +426,11 @@ private module PrintJavaScript {
     */
    JsxNode getJsxNode() { result = n }

-    /** DEPRECATED: Alias for getJsxNode */
-    deprecated JSXNode getJSXNode() { result = this.getJsxNode() }
-
    override PrintAstNode getChild(int childIndex) {
      result.(ElementNode).getElement() = n.getBodyElement(childIndex)
    }
  }

-  /** DEPRECATED: Alias for JsxBodyElementsNode */
-  deprecated class JSXBodyElementsNode = JsxBodyElementsNode;
-
  /**
   * A node representing any `ASTNode` that has type-parameters.
   *
@@ -582,9 +567,6 @@ private module PrintJson {
    }
  }

-  /** DEPRECATED: Alias for JsonNode */
-  deprecated class JSONNode = JsonNode;
-
  /** Provied predicates for pretty printing JSON. */
  private module PrettyPrinting {
    /**
@@ -655,9 +637,6 @@ module PrintYaml {
    }
  }

-  /** DEPRECATED: Alias for YamlNodeNode */
-  deprecated class YAMLNodeNode = YamlNodeNode;
-
  /**
   * A print node representing a `YAMLMapping`.
   *
@@ -671,9 +650,6 @@ module PrintYaml {
    }
  }

-  /** DEPRECATED: Alias for YamlMappingNode */
-  deprecated class YAMLMappingNode = YamlMappingNode;
-
  /**
   * A print node representing the `i`th mapping in `mapping`.
   */
@@ -703,14 +679,8 @@ module PrintYaml {
      childIndex = 1 and result.(YamlNodeNode).getValue() = mapping.getValueNode(i)
    }
  }
-
-  /** DEPRECATED: Alias for YamlMappingMapNode */
-  deprecated class YAMLMappingMapNode = YamlMappingMapNode;
 }

-/** DEPRECATED: Alias for PrintYaml */
-deprecated module PrintYAML = PrintYaml;
-
 /**
 * Classes for printing HTML AST.
 */
@@ -741,9 +711,6 @@ module PrintHtml {
    }
  }

-  /** DEPRECATED: Alias for HtmlElementNode */
-  deprecated class HTMLElementNode = HtmlElementNode;
-
  /**
   * A print node representing an HTML node in a .html file.
   */
@@ -757,9 +724,6 @@ module PrintHtml {
    }
  }

-  /** DEPRECATED: Alias for HtmlScriptElementNode */
-  deprecated class HTMLScriptElementNode = HtmlScriptElementNode;
-
  /**
   * A print node representing the code inside a `<script>` element.
   */
@@ -785,9 +749,6 @@ module PrintHtml {
    }
  }

-  /** DEPRECATED: Alias for HtmlScript */
-  deprecated class HTMLScript = HtmlScript;
-
  /**
   * A print node representing the code inside an attribute.
   */
@@ -813,9 +774,6 @@ module PrintHtml {
    }
  }

-  /** DEPRECATED: Alias for HtmlCodeInAttr */
-  deprecated class HTMLCodeInAttr = HtmlCodeInAttr;
-
  /**
   * An aggregate node representing all the attributes of an HTMLElement.
   */
@@ -838,9 +796,6 @@ module PrintHtml {
    }
  }

-  /** DEPRECATED: Alias for HtmlAttributesNodes */
-  deprecated class HTMLAttributesNodes = HtmlAttributesNodes;
-
  /**
   * A print node representing an HTML attribute in a .html file.
   */
@@ -862,14 +817,8 @@ module PrintHtml {
      childIndex = 0 and result.(HtmlCodeInAttr).getCode() = attr.getCodeInAttribute()
    }
  }
-
-  /** DEPRECATED: Alias for HtmlAttributeNode */
-  deprecated class HTMLAttributeNode = HtmlAttributeNode;
 }

-/** DEPRECATED: Alias for PrintHtml */
-deprecated module PrintHTML = PrintHtml;
-
 /** Holds if `node` belongs to the output tree, and its property `key` has the given `value`. */
 query predicate nodes(PrintAstNode node, string key, string value) { value = node.getProperty(key) }

--- a/javascript/ql/lib/semmle/javascript/Regexp.qll
+++ b/javascript/ql/lib/semmle/javascript/Regexp.qll
@@ -958,6 +958,27 @@ private predicate isUsedAsNonMatchObject(DataFlow::MethodCallNode call) {
  )
 }

+/**
+ * Holds if `value` is used in a way that suggests it returns a number.
+ */
+pragma[inline]
+private predicate isUsedAsNumber(DataFlow::LocalSourceNode value) {
+  any(Comparison compare)
+      .hasOperands(value.getALocalUse().asExpr(), any(Expr e | e.analyze().getAType() = TTNumber()))
+  or
+  value.flowsToExpr(any(ArithmeticExpr e).getAnOperand())
+  or
+  value.flowsToExpr(any(UnaryExpr e | e.getOperator() = "-").getOperand())
+  or
+  value.flowsToExpr(any(IndexExpr expr).getPropertyNameExpr())
+  or
+  exists(DataFlow::CallNode call |
+    call.getCalleeName() =
+      ["substring", "substr", "slice", "splice", "charAt", "charCodeAt", "codePointAt"] and
+    value.flowsTo(call.getAnArgument())
+  )
+}
+
 /**
 * Holds if `source` may be interpreted as a regular expression.
 */
@@ -985,9 +1006,9 @@ predicate isInterpretedAsRegExp(DataFlow::Node source) {
      methodName = "search" and
      source = mce.getArgument(0) and
      mce.getNumArgument() = 1 and
-      // "search" is a common method name, and so we exclude chained accesses
-      // because `String.prototype.search` returns a number
-      not exists(PropAccess p | p.getBase() = mce.getEnclosingExpr())
+      // "search" is a common method name, and the built-in "search" method is rarely used,
+      // so to reduce FPs we also require that the return value appears to be used as a number.
+      isUsedAsNumber(mce)
    )
    or
    exists(DataFlow::SourceNode schema | schema = JsonSchema::getAPartOfJsonSchema() |
--- a/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
@@ -1817,6 +1817,4 @@ module DataFlow {
  import Configuration
  import TypeTracking
  import internal.FunctionWrapperSteps
-
-  deprecated predicate localTaintStep = TaintTracking::localTaintStep/2;
 }
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -419,16 +419,6 @@ module TaintTracking {

  import Cached::Public

-  /**
-   * Holds if `pred -> succ` is a taint propagating data flow edge through a string operation.
-   * DEPRECATED: Use `stringConcatenationStep` and `stringManipulationStep` instead.
-   */
-  pragma[inline]
-  deprecated predicate stringStep(DataFlow::Node pred, DataFlow::Node succ) {
-    stringConcatenationStep(pred, succ) or
-    stringManipulationStep(pred, succ)
-  }
-
  /**
   * Holds if `pred -> succ` is an edge used by all taint-tracking configurations.
   */
@@ -1241,13 +1231,4 @@ module TaintTracking {

    override predicate appliesTo(Configuration cfg) { any() }
  }
-
-  /**
-   * Holds if taint propagates from `pred` to `succ` in one local (intra-procedural) step.
-   * DEPRECATED: Use `TaintTracking::sharedTaintStep` and `DataFlow::Node::getALocalSource()` instead.
-   */
-  deprecated predicate localTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    DataFlow::localFlowStep(pred, succ) or
-    sharedTaintStep(pred, succ)
-  }
 }
--- a/javascript/ql/lib/semmle/javascript/dependencies/Dependencies.qll
+++ b/javascript/ql/lib/semmle/javascript/dependencies/Dependencies.qll
@@ -39,9 +39,6 @@ abstract class NpmDependency extends Dependency {
  /** Gets the name of the NPM package this module belongs to. */
  abstract string getNpmPackageName();

-  /** DEPRECATED: Alias for getNpmPackageName */
-  deprecated string getNPMPackageName() { result = this.getNpmPackageName() }
-
  /** Gets the version of the NPM package this module belongs to. */
  abstract string getVersion();

@@ -62,9 +59,6 @@ abstract class NpmDependency extends Dependency {
  }
 }

-/** DEPRECATED: Alias for NpmDependency */
-deprecated class NPMDependency = NpmDependency;
-
 /**
 * Gets a variable into which something is imported by `i`.
 */
@@ -105,9 +99,6 @@ class BundledNpmDependency extends NpmDependency {

  override string getNpmPackageName() { result = this.getPackageJson().getPackageName() }

-  /** DEPRECATED: Alias for getNpmPackageName */
-  deprecated override string getNPMPackageName() { result = this.getNpmPackageName() }
-
  override string getVersion() { result = this.getPackageJson().getVersion() }

  override Import getAnImport() {
@@ -117,9 +108,6 @@ class BundledNpmDependency extends NpmDependency {
  }
 }

-/** DEPRECATED: Alias for BundledNpmDependency */
-deprecated class BundledNPMDependency = BundledNpmDependency;
-
 /**
 * An NPM package referenced in a `package.json` file.
 */
@@ -139,9 +127,6 @@ class ExternalNpmDependency extends NpmDependency {
    exists(PackageDependencies pkgdeps | this = pkgdeps.getPropValue(result))
  }

-  /** DEPRECATED: Alias for getNpmPackageName */
-  deprecated override string getNPMPackageName() { result = this.getNpmPackageName() }
-
  private string getVersionNumber() {
    exists(string versionRange | versionRange = this.(JsonString).getValue() |
      // extract a concrete version from the version range; currently,
@@ -166,9 +151,6 @@ class ExternalNpmDependency extends NpmDependency {
  }
 }

-/** DEPRECATED: Alias for ExternalNpmDependency */
-deprecated class ExternalNPMDependency = ExternalNpmDependency;
-
 /**
 * Holds if import `i` may refer to the declared dependency `dep` of package `pkg`,
 * where the result value is the nesting depth of the file containing `i` within `pkg`.
--- a/javascript/ql/lib/semmle/javascript/dependencies/FrameworkLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/dependencies/FrameworkLibraries.qll
@@ -137,14 +137,8 @@ abstract class FrameworkLibraryWithUrlRegex extends FrameworkLibrary {
   * the version number.
   */
  abstract string getAUrlRegex();
-
-  /** DEPRECATED: Alias for getAUrlRegex */
-  deprecated string getAURLRegex() { result = this.getAUrlRegex() }
 }

-/** DEPRECATED: Alias for FrameworkLibraryWithUrlRegex */
-deprecated class FrameworkLibraryWithURLRegex = FrameworkLibraryWithUrlRegex;
-
 /**
 * A framework library that is referenced by URLs containing the name
 * of the framework (or an alias) and a version string.
@@ -175,14 +169,8 @@ abstract class FrameworkLibraryWithGenericUrl extends FrameworkLibraryWithUrlReg
          "\\.js"
    )
  }
-
-  /** DEPRECATED: Alias for getAUrlRegex */
-  deprecated override string getAURLRegex() { result = this.getAUrlRegex() }
 }

-/** DEPRECATED: Alias for FrameworkLibraryWithGenericUrl */
-deprecated class FrameworkLibraryWithGenericURL = FrameworkLibraryWithGenericUrl;
-
 /**
 * Gets a regular expression identifying suffixes that are commonly appended
 * to the name of a library to distinguish minor variants.
@@ -282,9 +270,6 @@ class FrameworkLibraryReferenceWithUrl extends FrameworkLibraryReference {
  override predicate info(FrameworkLibrary fl, string v) { matchUrl(this, fl, v) }
 }

-/** DEPRECATED: Alias for FrameworkLibraryReferenceWithUrl */
-deprecated class FrameworkLibraryReferenceWithURL = FrameworkLibraryReferenceWithUrl;
-
 /**
 * Holds if the value of `src` attribute `attr` matches the URL pattern of library
 * `fl` at `version`.
@@ -953,9 +938,6 @@ private class ApplicationInsights extends FrameworkLibraryWithUrlRegex {
  ApplicationInsights() { this = "ApplicationInsights" }

  override string getAUrlRegex() { result = ".*(?:^|/)ai\\.(" + semverRegex() + ")-build\\d+\\.js" }
-
-  /** DEPRECATED: Alias for getAUrlRegex */
-  deprecated override string getAURLRegex() { result = this.getAUrlRegex() }
 }

 /**
@@ -974,9 +956,6 @@ private class TwitterTextClassic extends FrameworkLibraryWithUrlRegex {
  TwitterTextClassic() { this = "twitter-text" }

  override string getAUrlRegex() { result = ".*(?:^|/)twitter_text" + variantRegex() + "\\.js" }
-
-  /** DEPRECATED: Alias for getAUrlRegex */
-  deprecated override string getAURLRegex() { result = this.getAUrlRegex() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
@@ -631,9 +631,6 @@ module ClientRequest {
    }
  }

-  /** DEPRECATED: Alias for XmlHttpRequest */
-  deprecated class XMLHttpRequest = XmlHttpRequest;
-
  /**
   * A model of a URL request made using the `XhrIo` class from the closure library.
   */
@@ -814,9 +811,6 @@ module ClientRequest {
    override DataFlow::Node getADataNode() { none() }
  }

-  /** DEPRECATED: Alias for JSDomFromUrl */
-  deprecated class JSDOMFromUrl = JSDomFromUrl;
-
  /**
   * Classes and predicates modeling the `apollo-client` library.
   */
--- a/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
@@ -250,9 +250,6 @@ private module JsonFile {
    }
  }

-  /** DEPRECATED: Alias for JsonFileReader */
-  deprecated class JSONFileReader = JsonFileReader;
-
  /**
   * A writer for JSON files.
   */
@@ -267,9 +264,6 @@ private module JsonFile {

    override DataFlow::Node getADataNode() { result = this.getArgument(1) }
  }
-
-  /** DEPRECATED: Alias for JsonFileWriter */
-  deprecated class JSONFileWriter = JsonFileWriter;
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
@@ -22,9 +22,6 @@ module Markdown {
     * Holds if the taint-step preserves HTML.
     */
    predicate preservesHtml() { any() }
-
-    /** DEPRECATED: Alias for preservesHtml */
-    deprecated predicate preservesHTML() { this.preservesHtml() }
  }

  private class MarkdownStepAsTaintStep extends TaintTracking::SharedTaintStep {
--- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -241,9 +241,6 @@ module NextJS {
    }
  }

-  /** DEPRECATED: Alias for NextApiRouteHandler */
-  deprecated class NextAPIRouteHandler = NextApiRouteHandler;
-
  /**
   * Gets a reference to a [Next.js router](https://nextjs.org/docs/api-reference/next/router).
   */
--- a/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
@@ -17,9 +17,6 @@ module NoSql {
  }
 }

-/** DEPRECATED: Alias for NoSql */
-deprecated module NoSQL = NoSql;
-
 /**
 * Provides classes modeling the `mongodb` and `mongoose` libraries.
 */
--- a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
@@ -4,9 +4,6 @@

 import javascript

-/** DEPRECATED: Alias for `Urijs` */
-deprecated module urijs = Urijs;
-
 /**
 * Provides classes for working with [urijs](http://medialize.github.io/URI.js/) code.
 */
@@ -73,9 +70,6 @@ module Urijs {
  }
 }

-/** DEPRECATED: Alias for `Uridashjs` */
-deprecated module uridashjs = Uridashjs;
-
 /**
 * Provides classes for working with [uri-js](https://github.com/garycourt/uri-js) code.
 */
@@ -101,9 +95,6 @@ module Uridashjs {
  }
 }

-/** DEPRECATED: Alias for `Punycode` */
-deprecated module punycode = Punycode;
-
 /**
 * Provides classes for working with [punycode](https://github.com/bestiejs/punycode.js) code.
 */
@@ -129,9 +120,6 @@ module Punycode {
  }
 }

-/** DEPRECATED: Alias for `UrlParse` */
-deprecated module urlParse = UrlParse;
-
 /**
 * Provides classes for working with [url-parse](https://github.com/unshiftio/url-parse) code.
 */
@@ -169,9 +157,6 @@ module UrlParse {
  }
 }

-/** DEPRECATED: Alias for `Querystringify` */
-deprecated module querystringify = Querystringify;
-
 /**
 * Provides classes for working with [querystringify](https://github.com/unshiftio/querystringify) code.
 */
@@ -202,9 +187,6 @@ module Querystringify {
  }
 }

-/** DEPRECATED: Alias for `Querydashstring` */
-deprecated module querydashstring = Querydashstring;
-
 /**
 * Provides classes for working with [query-string](https://github.com/sindresorhus/query-string) code.
 */
@@ -230,9 +212,6 @@ module Querydashstring {
  }
 }

-/** DEPRECATED: Alias for `Url` */
-deprecated module url = Url;
-
 /**
 * Provides classes for working with [url](https://nodejs.org/api/url.html) code.
 */
@@ -256,9 +235,6 @@ module Url {
  }
 }

-/** DEPRECATED: Alias for `Querystring` */
-deprecated module querystring = Querystring;
-
 /**
 * Provides classes for working with [querystring](https://nodejs.org/api/querystring.html) code.
 */
--- a/javascript/ql/lib/semmle/javascript/frameworks/WebSocket.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/WebSocket.qll
@@ -249,9 +249,6 @@ module ServerWebSocket {
    override Http::RouteHandler getRouteHandler() { result = handler }
  }

-  /** DEPRECATED: Alias for ServerHttpRequest */
-  deprecated class ServerHTTPRequest = ServerHttpRequest;
-
  /**
   * An access user-controlled HTTP request input in a request to a WebSocket server.
   */
--- a/javascript/ql/lib/semmle/javascript/internal/CachedStages.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/CachedStages.qll
@@ -286,9 +286,6 @@ module Stages {
    }
  }

-  /** DEPRECATED: Alias for ApiStage */
-  deprecated module APIStage = ApiStage;
-
  /**
   * The `taint` stage.
   */
--- a/javascript/ql/lib/semmle/javascript/security/TaintedObject.qll
+++ b/javascript/ql/lib/semmle/javascript/security/TaintedObject.qll
@@ -120,6 +120,22 @@ module TaintedObject {
    override predicate sanitizes(boolean outcome, Expr e) { e = x and outcome = polarity }
  }

+  /** A guard that checks whether an input a valid string identifier using `mongoose.Types.ObjectId.isValid` */
+  class ObjectIdGuard extends SanitizerGuard instanceof API::CallNode {
+    ObjectIdGuard() {
+      this =
+        API::moduleImport("mongoose")
+            .getMember("Types")
+            .getMember("ObjectId")
+            .getMember("isValid")
+            .getACall()
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e, FlowLabel lbl) {
+      e = super.getAnArgument().asExpr() and outcome = true and lbl = label()
+    }
+  }
+
  /**
   * A sanitizer guard that validates an input against a JSON schema.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -255,9 +255,6 @@ module CodeInjection {
    NoSqlCodeInjectionSink() { any(NoSql::Query q).getACodeOperator() = this }
  }

-  /** DEPRECATED: Alias for NoSqlCodeInjectionSink */
-  deprecated class NoSQLCodeInjectionSink = NoSqlCodeInjectionSink;
-
  /**
   * The first argument to `Module.prototype._compile`, considered as a code-injection sink.
   */
@@ -427,9 +424,6 @@ module CodeInjection {
   */
  class JsonStringifySanitizer extends Sanitizer, JsonStringifyCall { }

-  /** DEPRECATED: Alias for JsonStringifySanitizer */
-  deprecated class JSONStringifySanitizer = JsonStringifySanitizer;
-
  private class SinkFromModel extends Sink {
    SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }
  }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
@@ -18,9 +18,6 @@ class DomGlobalVariable extends GlobalVariable {
  }
 }

-/** DEPRECATED: Alias for DomGlobalVariable */
-deprecated class DOMGlobalVariable = DomGlobalVariable;
-
 /**
 * DEPRECATED: Use `isDomNode` instead.
 * Holds if `e` could hold a value that comes from the DOM.
@@ -45,27 +42,6 @@ predicate isLocationNode(DataFlow::Node e) {
  e = DataFlow::globalVarRef("location")
 }

-/**
- * DEPRECATED: Use DOM::documentRef() instead.
- * Gets a reference to the 'document' object.
- */
-deprecated DataFlow::SourceNode document() { result = DOM::documentRef() }
-
-/**
- * DEPRECATED: Use DOM::documentRef() instead.
- * Holds if `e` could refer to the `document` object.
- */
-deprecated predicate isDocument(Expr e) { DOM::documentRef().flowsToExpr(e) }
-
-/**
- * DEPRECATED: Use DOM::locationSource() instead.
- * Holds if `e` could refer to the document URL.
- */
-deprecated predicate isDocumentUrl(Expr e) { e.flow() = DOM::locationSource() }
-
-/** DEPRECATED: Alias for isDocumentUrl */
-deprecated predicate isDocumentURL = isDocumentUrl/1;
-
 /**
 * DEPRECATED. In most cases, a sanitizer based on this predicate can be removed, as
 * taint tracking no longer step through the properties of the location object by default.
@@ -179,9 +155,6 @@ deprecated class DomPropWriteNode extends Assignment {
   */
  predicate interpretsValueAsHtml() { node.interpretsValueAsHtml() }

-  /** DEPRECATED: Alias for interpretsValueAsHtml */
-  deprecated predicate interpretsValueAsHTML() { this.interpretsValueAsHtml() }
-
  /**
   * Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
@@ -8,12 +8,6 @@ private import semmle.javascript.security.TaintedUrlSuffix
 import DomBasedXssCustomizations::DomBasedXss
 private import Xss::Shared as Shared

-/** DEPRECATED. Use `Configuration`. */
-deprecated class HtmlInjectionConfiguration = Configuration;
-
-/** DEPRECATED. Use `Configuration`. */
-deprecated class JQueryHtmlOrSelectorInjectionConfiguration = Configuration;
-
 /**
 * A sink that is not a URL write or a JQuery selector,
 * assumed to be a value that is interpreted as HTML.
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedData.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedData.qll
@@ -5,6 +5,3 @@ private import ExternalAPIUsedWithUntrustedDataQuery as ExternalApiUsedWithUntru

 /** DEPRECATED. Import `ExternalApiUsedWithUntrustedDataQuery` instead. */
 deprecated module ExternalApiUsedWithUntrustedData = ExternalApiUsedWithUntrustedDataQuery;
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated module ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
@@ -64,9 +64,6 @@ module ExternalApiUsedWithUntrustedData {
    SafeExternalApiPackage() { exists(API::moduleImport(this)) }
  }

-  /** DEPRECATED: Alias for SafeExternalApiPackage */
-  deprecated class SafeExternalAPIPackage = SafeExternalApiPackage;
-
  private class DefaultSafeExternalApiPackage extends SafeExternalApiPackage {
    DefaultSafeExternalApiPackage() {
      // Promise libraries are safe and generate too much noise if included
@@ -83,9 +80,6 @@ module ExternalApiUsedWithUntrustedData {
   */
  abstract class SafeExternalApiFunction extends API::Node { }

-  /** DEPRECATED: Alias for SafeExternalApiFunction */
-  deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
-
  /** Holds if data read from a use of `f` may originate from an imported package. */
  private predicate mayComeFromLibrary(API::Node f) {
    // base case: import
@@ -371,6 +365,3 @@ module ExternalApiUsedWithUntrustedData {
    }
  }
 }
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated module ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
@@ -61,9 +61,6 @@ class Configuration extends TaintTracking::Configuration {
 /** A node representing data being passed to an external API. */
 class ExternalApiDataNode extends DataFlow::Node instanceof Sink { }

-/** DEPRECATED: Alias for ExternalApiDataNode */
-deprecated class ExternalAPIDataNode = ExternalApiDataNode;
-
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
  UntrustedExternalApiDataNode() { any(Configuration c).hasFlow(_, this) }
@@ -72,9 +69,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
  DataFlow::Node getAnUntrustedSource() { any(Configuration c).hasFlow(result, this) }
 }

-/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
-deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
-
 /**
 * Name of an external API sink, boxed in a newtype for consistency with other languages.
 */
@@ -102,6 +96,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
  /** Gets a textual representation of this element. */
  string toString() { this = MkExternalApiNode(result) }
 }
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll
@@ -35,9 +35,6 @@ module ImproperCodeSanitization {
   */
  class JsonStringifyAsSource extends Source instanceof JsonStringifyCall { }

-  /** DEPRECATED: Alias for JsonStringifyAsSource */
-  deprecated class JSONStringifyAsSource = JsonStringifyAsSource;
-
  /**
   * A leaf in a string-concatenation, where the string-concatenation constructs code that looks like a function.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
@@ -51,18 +51,12 @@ module InsecureDownload {
      SensitiveInsecureUrl() { this = "sensitiveInsecure" }
    }

-    /** DEPRECATED: Alias for SensitiveInsecureUrl */
-    deprecated class SensitiveInsecureURL = SensitiveInsecureUrl;
-
    /**
     * A flow-label for a URL that is downloaded over an insecure connection.
     */
    class InsecureUrl extends DataFlow::FlowLabel {
      InsecureUrl() { this = "insecure" }
    }
-
-    /** DEPRECATED: Alias for InsecureUrl */
-    deprecated class InsecureURL = InsecureUrl;
  }

  /**
@@ -127,9 +121,6 @@ module InsecureDownload {
    }
  }

-  /** DEPRECATED: Alias for ClientRequestUrl */
-  deprecated class ClientRequestURL = ClientRequestUrl;
-
  /**
   * Gets a node for the response from `request`, type-tracked using `t`.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -145,9 +145,6 @@ module UnsafeHtmlConstruction {
    override string describe() { result = "HTML construction" }
  }

-  /** DEPRECATED: Alias for HtmlConcatenationSink */
-  deprecated class HTMLConcatenationSink = HtmlConcatenationSink;
-
  /**
   * A string parsed as XML, which is later used in an XSS sink.
   */
@@ -162,9 +159,6 @@ module UnsafeHtmlConstruction {
    override string describe() { result = "XML parsing" }
  }

-  /** DEPRECATED: Alias for XmlParsedSink */
-  deprecated class XMLParsedSink = XmlParsedSink;
-
  /**
   * A string rendered as markdown, where the rendering preserves HTML.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
@@ -97,9 +97,6 @@ module Shared {
    }
  }

-  /** DEPRECATED: Alias for ContainsHtmlGuard */
-  deprecated class ContainsHTMLGuard = ContainsHtmlGuard;
-
  /**
   * Holds if `str` is used in a switch-case that has cases matching HTML escaping.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -137,9 +137,6 @@ module XssThroughDom {
    override string getPropertyName() { result = prop }
  }

-  /** DEPRECATED: Alias for DomTextSource */
-  deprecated class DOMTextSource = DomTextSource;
-
  /** The `files` property of an `<input />` element */
  class FilesSource extends Source {
    FilesSource() { this = DOM::domValueRef().getAPropertyRead("files") }
--- a/javascript/ql/src/Declarations/ArgumentsRedefined.ql
+++ b/javascript/ql/src/Declarations/ArgumentsRedefined.ql
@@ -12,7 +12,6 @@
 */

 import javascript
-import Definitions

 from VarRef d
 where
--- a/javascript/ql/src/Declarations/Definitions.qll
+++ b/javascript/ql/src/Declarations/Definitions.qll
@@ -1,13 +0,0 @@
-import javascript
-
-/**
- * DEPRECATED: Use `SsaDefinition` from `SSA.qll` instead.
- * An identifier appearing in a defining position.
- */
-deprecated class DefiningIdentifier extends Identifier {
-  DefiningIdentifier() {
-    this instanceof VarDecl or
-    exists(Assignment assgn | this = assgn.getLhs()) or
-    exists(UpdateExpr upd | this = upd.getOperand())
-  }
-}
--- a/javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp
+++ b/javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp
@@ -20,7 +20,13 @@ or prepared statements.
 <p>
 For NoSQL queries, make use of an operator like MongoDB's <code>$eq</code>
 to ensure that untrusted data is interpreted as a literal value and not as
-a query object.
+a query object. Alternatively, check that the untrusted data is a literal
+value and not a query object before using it in a query.
+</p>
+<p>
+For SQL queries, use query parameters or prepared statements to
+embed untrusted data into the query string, or use a library like 
+<code>sqlstring</code> to escape untrusted data.
 </p>
 </recommendation>

@@ -32,31 +38,61 @@ an HTTP request handler in a web application, whose parameter
 </p>

 <p>
-The handler constructs two copies of the same SQL query involving
-user input taken from the request object, once unsafely using
-string concatenation, and once safely using query parameters.
+The handler constructs an SQL query string from user input
+and executes it as a database query using the <code>pg</code> library. 
+The user input may contain quote characters, so this code is vulnerable
+to a SQL injection attack.
 </p>

-<p>
-In the first case, the query string <code>query1</code> is built by
-directly concatenating a user-supplied request parameter with some
-string literals. The parameter may include quote characters, so this
-code is vulnerable to a SQL injection attack.
-</p>
+<sample src="examples/SqlInjection.js" />

 <p>
-In the second case, the parameter is embedded into the query string
-<code>query2</code> using query parameters. In this example, we use
+To fix this vulnerability, we can use query parameters to embed the
+user input into the query string. In this example, we use
 the API offered by the <code>pg</code> Postgres database connector
 library, but other libraries offer similar features. This version is
 immune to injection attacks.
 </p>

-<sample src="examples/SqlInjection.js" />
+<sample src="examples/SqlInjectionFix.js" />
+
+<p>
+Alternatively, we can use a library like <code>sqlstring</code> to
+escape the user input before embedding it into the query string:
+</p>
+<sample src="examples/SqlInjectionFix2.js" />
+</example>
+
+<example>
+<p>
+In the following example, an express handler attempts to delete
+a single document from a MongoDB collection. The document to be
+deleted is identified by its <code>_id</code> field, which is
+constructed from user input. The user input may contain a query
+object, so this code is vulnerable to a NoSQL injection attack.
+</p>
+
+<sample src="examples/NoSqlInjection.js" />
+
+<p>
+To fix this vulnerability, we can use the <code>$eq</code> operator
+to ensure that the user input is interpreted as a literal value
+and not as a query object:
+</p>
+
+<sample src="examples/NoSqlInjectionFix.js" />
+
+<p>
+Alternatively check that the user input is a
+literal value and not a query object before using it:
+</p>
+
+<sample src="examples/NoSqlInjectionFix2.js" />
 </example>

 <references>
 <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
 <li>MongoDB: <a href="https://docs.mongodb.com/manual/reference/operator/query/eq">$eq operator</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf">NoSQL injection</a>.</li>
 </references>
 </qhelp>
--- a/javascript/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
@@ -18,12 +18,13 @@ import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
 import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
 import DataFlow::PathGraph

-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string type
 where
  (
-    cfg instanceof SqlInjection::Configuration or
-    cfg instanceof NosqlInjection::Configuration
+    cfg instanceof SqlInjection::Configuration and type = "string"
+    or
+    cfg instanceof NosqlInjection::Configuration and type = "object"
  ) and
  cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),
  "user-provided value"
--- a/javascript/ql/src/Security/CWE-089/examples/NoSqlInjection.js
+++ b/javascript/ql/src/Security/CWE-089/examples/NoSqlInjection.js
@@ -0,0 +1,18 @@
+const express = require("express");
+const mongoose = require("mongoose");
+const Todo = mongoose.model(
+  "Todo",
+  new mongoose.Schema({ text: { type: String } }, { timestamps: true })
+);
+
+const app = express();
+app.use(express.json());
+app.use(express.urlencoded({ extended: false }));
+
+app.delete("/api/delete", async (req, res) => {
+  let id = req.body.id;
+
+  await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties
+
+  res.json({ status: "ok" });
+});
--- a/javascript/ql/src/Security/CWE-089/examples/NoSqlInjectionFix.js
+++ b/javascript/ql/src/Security/CWE-089/examples/NoSqlInjectionFix.js
@@ -0,0 +1,6 @@
+app.delete("/api/delete", async (req, res) => {
+  let id = req.body.id;
+  await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison
+
+  res.json({ status: "ok" });
+});
--- a/javascript/ql/src/Security/CWE-089/examples/NoSqlInjectionFix2.js
+++ b/javascript/ql/src/Security/CWE-089/examples/NoSqlInjectionFix2.js
@@ -0,0 +1,10 @@
+app.delete("/api/delete", async (req, res) => {
+  let id = req.body.id;
+  if (typeof id !== "string") {
+    res.status(400).json({ status: "error" });
+    return;
+  }
+  await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string
+
+  res.json({ status: "ok" });
+});
--- a/javascript/ql/src/Security/CWE-089/examples/SqlInjection.js
+++ b/javascript/ql/src/Security/CWE-089/examples/SqlInjection.js
@@ -11,11 +11,4 @@ app.get("search", function handler(req, res) {
  pool.query(query1, [], function(err, results) {
    // process results
  });
-
-  // GOOD: use parameters
-  var query2 =
-    "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1" + " ORDER BY PRICE";
-  pool.query(query2, [req.params.category], function(err, results) {
-    // process results
-  });
 });
--- a/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix.js
+++ b/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix.js
@@ -0,0 +1,12 @@
+const app = require("express")(),
+      pg = require("pg"),
+      pool = new pg.Pool(config);
+
+app.get("search", function handler(req, res) {
+  // GOOD: use parameters
+  var query2 =
+    "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE";
+  pool.query(query2, [req.params.category], function(err, results) {
+    // process results
+  });
+});
--- a/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
+++ b/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js
@@ -0,0 +1,15 @@
+const app = require("express")(),
+      pg = require("pg"),
+      SqlString = require('sqlstring'),
+      pool = new pg.Pool(config);
+
+app.get("search", function handler(req, res) {
+  // GOOD: the category is escaped using mysql.escape
+  var query1 =
+    "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" +
+    SqlString.escape(req.params.category) +
+    "' ORDER BY PRICE";
+  pool.query(query1, [], function(err, results) {
+    // process results
+  });
+});
--- a/javascript/ql/src/change-notes/2023-06-01-restrict-regex-search-function.md
+++ b/javascript/ql/src/change-notes/2023-06-01-restrict-regex-search-function.md
@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
+  This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
+  to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.
--- a/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql
@@ -20,13 +20,13 @@ import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
 import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources

-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string type
 where
  (
-    cfg instanceof SqlInjection::Configuration or
-    cfg instanceof NosqlInjection::Configuration
+    cfg instanceof SqlInjection::Configuration and type = "string"
+    or
+    cfg instanceof NosqlInjection::Configuration and type = "object"
  ) and
-  cfg.hasFlowPath(source, sink) and
-  source.getNode() instanceof HeuristicSource
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),
  "user-provided value"
--- a/javascript/ql/test/library-tests/DataExtensions/Test.expected
+++ b/javascript/ql/test/library-tests/DataExtensions/Test.expected
@@ -1,7 +0,0 @@
-commandInjectionSinks
-| execa.example.js:2:7:2:9 | cmd |
-sqlInjectionSinks
-| connection.example.ts:4:20:4:20 | q |
-| connection.example.ts:9:18:9:18 | q |
-remoteFlowSources
-| message.example.js:1:46:1:50 | event |
--- a/javascript/ql/test/library-tests/DataExtensions/Test.ql
+++ b/javascript/ql/test/library-tests/DataExtensions/Test.ql
@@ -1,11 +0,0 @@
-import javascript
-private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
-private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
-
-query predicate commandInjectionSinks(DataFlow::Node node) {
-  node instanceof CommandInjection::Sink
-}
-
-query predicate sqlInjectionSinks(DataFlow::Node node) { node instanceof SqlInjection::Sink }
-
-query predicate remoteFlowSources(RemoteFlowSource node) { any() }
--- a/javascript/ql/test/library-tests/DataExtensions/connection.expected
+++ b/javascript/ql/test/library-tests/DataExtensions/connection.expected
@@ -0,0 +1,2 @@
+| connection.example.ts:4:20:4:20 | q |
+| connection.example.ts:9:18:9:18 | q |
--- a/javascript/ql/test/library-tests/DataExtensions/connection.model.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/connection.model.yml
--- a/javascript/ql/test/library-tests/DataExtensions/connection.ql
+++ b/javascript/ql/test/library-tests/DataExtensions/connection.ql
@@ -0,0 +1,4 @@
+import javascript
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+
+query predicate sqlInjectionSinks(DataFlow::Node node) { node instanceof SqlInjection::Sink }
--- a/javascript/ql/test/library-tests/DataExtensions/execa.expected
+++ b/javascript/ql/test/library-tests/DataExtensions/execa.expected
@@ -0,0 +1 @@
+| execa.example.js:2:7:2:9 | cmd |
--- a/javascript/ql/test/library-tests/DataExtensions/execa.ext.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/execa.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@example/execa", "Member[shell].Argument[0]", "command-injection"]
--- a/javascript/ql/test/library-tests/DataExtensions/execa.model.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/execa.model.yml
@@ -1,10 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: sinkModel
-    data:
-      - [
-          "@example/execa",
-          "Member[shell].Argument[0]",
-          "command-injection",
-        ]
--- a/javascript/ql/test/library-tests/DataExtensions/execa.ql
+++ b/javascript/ql/test/library-tests/DataExtensions/execa.ql
@@ -0,0 +1,6 @@
+import javascript
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
+
+query predicate commandInjectionSinks(DataFlow::Node node) {
+  node instanceof CommandInjection::Sink
+}
--- a/javascript/ql/test/library-tests/DataExtensions/message.expected
+++ b/javascript/ql/test/library-tests/DataExtensions/message.expected
@@ -0,0 +1,2 @@
+| message.example.js:1:46:1:50 | event |
+| message.example.js:2:16:2:25 | event.data |
--- a/javascript/ql/test/library-tests/DataExtensions/message.model.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/message.model.yml
@@ -6,5 +6,5 @@ extensions:
      - [
          "global",
          "Member[addEventListener].WithStringArgument[0=message].Argument[1].Parameter[0].Member[data]",
-          "remote-flow",
+          "remote",
        ]
--- a/javascript/ql/test/library-tests/DataExtensions/message.ql
+++ b/javascript/ql/test/library-tests/DataExtensions/message.ql
@@ -0,0 +1,3 @@
+import javascript
+
+query predicate remoteFlowSources(RemoteFlowSource node) { any() }
--- a/javascript/ql/test/library-tests/JSX/printAst.expected
+++ b/javascript/ql/test/library-tests/JSX/printAst.expected
@@ -3,10 +3,14 @@ nodes
 | file://:0:0:0:0 | (Attributes) | semmle.label | (Attributes) |
 | file://:0:0:0:0 | (Attributes) | semmle.label | (Attributes) |
 | file://:0:0:0:0 | (Attributes) | semmle.label | (Attributes) |
+| file://:0:0:0:0 | (Attributes) | semmle.label | (Attributes) |
+| file://:0:0:0:0 | (Attributes) | semmle.label | (Attributes) |
 | file://:0:0:0:0 | (Body) | semmle.label | (Body) |
 | file://:0:0:0:0 | (Body) | semmle.label | (Body) |
 | file://:0:0:0:0 | (Body) | semmle.label | (Body) |
 | file://:0:0:0:0 | (Body) | semmle.label | (Body) |
+| file://:0:0:0:0 | (Body) | semmle.label | (Body) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | tst.js:1:1:1:32 | [DeclStmt] var href = ... | semmle.label | [DeclStmt] var href = ... |
 | tst.js:1:1:1:32 | [DeclStmt] var href = ... | semmle.order | 1 |
 | tst.js:1:5:1:8 | [VarDecl] href | semmle.label | [VarDecl] href |
@@ -119,6 +123,42 @@ nodes
 | tstest.tsx:7:33:7:38 | [JsxElement] <Foo/> | semmle.label | [JsxElement] <Foo/> |
 | tstest.tsx:7:34:7:36 | [VarRef] Foo | semmle.label | [VarRef] Foo |
 | tstest.tsx:7:40:7:49 | [Literal] more text  | semmle.label | [Literal] more text  |
+| tstest.tsx:10:1:10:30 | [DeclStmt] const x = ... | semmle.label | [DeclStmt] const x = ... |
+| tstest.tsx:10:1:10:30 | [DeclStmt] const x = ... | semmle.order | 15 |
+| tstest.tsx:10:7:10:7 | [VarDecl] x | semmle.label | [VarDecl] x |
+| tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | semmle.label | [VariableDeclarator] x = <Ba ... llo" /> |
+| tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | semmle.label | [JsxElement] <Bar a:b="hello" /> |
+| tstest.tsx:10:12:10:14 | [VarRef] Bar | semmle.label | [VarRef] Bar |
+| tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | semmle.label | [JsxAttribute] a:b="hello" |
+| tstest.tsx:10:18:10:18 | [Label] b | semmle.label | [Label] b |
+| tstest.tsx:10:20:10:26 | [Literal] "hello" | semmle.label | [Literal] "hello" |
+| tstest.tsx:11:1:11:32 | [DeclStmt] const y = ... | semmle.label | [DeclStmt] const y = ... |
+| tstest.tsx:11:1:11:32 | [DeclStmt] const y = ... | semmle.order | 16 |
+| tstest.tsx:11:7:11:7 | [VarDecl] y | semmle.label | [VarDecl] y |
+| tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | semmle.label | [VariableDeclarator] y = <Ba ... llo" /> |
+| tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | semmle.label | [JsxElement] <Bar a ... llo" /> |
+| tstest.tsx:11:12:11:14 | [VarRef] Bar | semmle.label | [VarRef] Bar |
+| tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | semmle.label | [JsxAttribute] a : b="hello" |
+| tstest.tsx:11:20:11:20 | [Label] b | semmle.label | [Label] b |
+| tstest.tsx:11:22:11:28 | [Literal] "hello" | semmle.label | [Literal] "hello" |
+| tstest.tsx:13:1:15:1 | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } |
+| tstest.tsx:13:1:15:1 | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } | semmle.order | 17 |
+| tstest.tsx:13:11:13:18 | [Identifier] BarProps | semmle.label | [Identifier] BarProps |
+| tstest.tsx:14:5:14:9 | [Literal] "a:b" | semmle.label | [Literal] "a:b" |
+| tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | semmle.label | [FieldDeclaration] "a:b": string; |
+| tstest.tsx:14:12:14:17 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | semmle.label | [FunctionDeclStmt] functio ... div>; } |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | semmle.order | 18 |
+| tstest.tsx:17:10:17:12 | [VarDecl] Bar | semmle.label | [VarDecl] Bar |
+| tstest.tsx:17:14:17:18 | [SimpleParameter] props | semmle.label | [SimpleParameter] props |
+| tstest.tsx:17:21:17:28 | [LocalTypeAccess] BarProps | semmle.label | [LocalTypeAccess] BarProps |
+| tstest.tsx:17:31:19:1 | [BlockStmt] { r ... div>; } | semmle.label | [BlockStmt] { r ... div>; } |
+| tstest.tsx:18:5:18:37 | [ReturnStmt] return ... </div>; | semmle.label | [ReturnStmt] return ... </div>; |
+| tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | semmle.label | [JsxElement] <div>{p ... }</div> |
+| tstest.tsx:18:13:18:15 | [Label] div | semmle.label | [Label] div |
+| tstest.tsx:18:18:18:22 | [VarRef] props | semmle.label | [VarRef] props |
+| tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | semmle.label | [IndexExpr] props["a:b"] |
+| tstest.tsx:18:24:18:28 | [Literal] "a:b" | semmle.label | [Literal] "a:b" |
 edges
 | file://:0:0:0:0 | (Attributes) | tst.js:3:4:3:14 | [JsxAttribute] href={href} | semmle.label | 0 |
 | file://:0:0:0:0 | (Attributes) | tst.js:3:4:3:14 | [JsxAttribute] href={href} | semmle.order | 0 |
@@ -136,6 +176,10 @@ edges
 | file://:0:0:0:0 | (Attributes) | tstest.tsx:3:32:3:45 | [JsxAttribute] {...linkTypes} | semmle.order | 2 |
 | file://:0:0:0:0 | (Attributes) | tstest.tsx:4:25:4:33 | [JsxAttribute] foo="bar" | semmle.label | 0 |
 | file://:0:0:0:0 | (Attributes) | tstest.tsx:4:25:4:33 | [JsxAttribute] foo="bar" | semmle.order | 0 |
+| file://:0:0:0:0 | (Attributes) | tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | semmle.label | 0 |
+| file://:0:0:0:0 | (Attributes) | tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | semmle.order | 0 |
+| file://:0:0:0:0 | (Attributes) | tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | semmle.label | 0 |
+| file://:0:0:0:0 | (Attributes) | tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | semmle.order | 0 |
 | file://:0:0:0:0 | (Body) | tst.js:3:47:3:54 | [Literal] Link to  | semmle.label | 0 |
 | file://:0:0:0:0 | (Body) | tst.js:3:47:3:54 | [Literal] Link to  | semmle.order | 0 |
 | file://:0:0:0:0 | (Body) | tst.js:3:56:3:59 | [VarRef] href | semmle.label | 1 |
@@ -164,6 +208,10 @@ edges
 | file://:0:0:0:0 | (Body) | tstest.tsx:7:33:7:38 | [JsxElement] <Foo/> | semmle.order | 1 |
 | file://:0:0:0:0 | (Body) | tstest.tsx:7:40:7:49 | [Literal] more text  | semmle.label | 2 |
 | file://:0:0:0:0 | (Body) | tstest.tsx:7:40:7:49 | [Literal] more text  | semmle.order | 2 |
+| file://:0:0:0:0 | (Body) | tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | semmle.label | 0 |
+| file://:0:0:0:0 | (Body) | tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | semmle.order | 0 |
+| file://:0:0:0:0 | (Parameters) | tstest.tsx:17:14:17:18 | [SimpleParameter] props | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tstest.tsx:17:14:17:18 | [SimpleParameter] props | semmle.order | 0 |
 | tst.js:1:1:1:32 | [DeclStmt] var href = ... | tst.js:1:5:1:31 | [VariableDeclarator] href = ... le.com" | semmle.label | 1 |
 | tst.js:1:1:1:32 | [DeclStmt] var href = ... | tst.js:1:5:1:31 | [VariableDeclarator] href = ... le.com" | semmle.order | 1 |
 | tst.js:1:5:1:31 | [VariableDeclarator] href = ... le.com" | tst.js:1:5:1:8 | [VarDecl] href | semmle.label | 1 |
@@ -304,5 +352,61 @@ edges
 | tstest.tsx:7:16:7:52 | [JsxFragment] <> frag ... ext </> | file://:0:0:0:0 | (Body) | semmle.order | 1 |
 | tstest.tsx:7:33:7:38 | [JsxElement] <Foo/> | tstest.tsx:7:34:7:36 | [VarRef] Foo | semmle.label | 0 |
 | tstest.tsx:7:33:7:38 | [JsxElement] <Foo/> | tstest.tsx:7:34:7:36 | [VarRef] Foo | semmle.order | 0 |
+| tstest.tsx:10:1:10:30 | [DeclStmt] const x = ... | tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | semmle.label | 1 |
+| tstest.tsx:10:1:10:30 | [DeclStmt] const x = ... | tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | semmle.order | 1 |
+| tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | tstest.tsx:10:7:10:7 | [VarDecl] x | semmle.label | 1 |
+| tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | tstest.tsx:10:7:10:7 | [VarDecl] x | semmle.order | 1 |
+| tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | semmle.label | 2 |
+| tstest.tsx:10:7:10:29 | [VariableDeclarator] x = <Ba ... llo" /> | tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | semmle.order | 2 |
+| tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | file://:0:0:0:0 | (Attributes) | semmle.label | 2 |
+| tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | file://:0:0:0:0 | (Attributes) | semmle.order | 2 |
+| tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | tstest.tsx:10:12:10:14 | [VarRef] Bar | semmle.label | 0 |
+| tstest.tsx:10:11:10:29 | [JsxElement] <Bar a:b="hello" /> | tstest.tsx:10:12:10:14 | [VarRef] Bar | semmle.order | 0 |
+| tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | tstest.tsx:10:18:10:18 | [Label] b | semmle.label | 1 |
+| tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | tstest.tsx:10:18:10:18 | [Label] b | semmle.order | 1 |
+| tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | tstest.tsx:10:20:10:26 | [Literal] "hello" | semmle.label | 2 |
+| tstest.tsx:10:16:10:26 | [JsxAttribute] a:b="hello" | tstest.tsx:10:20:10:26 | [Literal] "hello" | semmle.order | 2 |
+| tstest.tsx:11:1:11:32 | [DeclStmt] const y = ... | tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | semmle.label | 1 |
+| tstest.tsx:11:1:11:32 | [DeclStmt] const y = ... | tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | semmle.order | 1 |
+| tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | tstest.tsx:11:7:11:7 | [VarDecl] y | semmle.label | 1 |
+| tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | tstest.tsx:11:7:11:7 | [VarDecl] y | semmle.order | 1 |
+| tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | semmle.label | 2 |
+| tstest.tsx:11:7:11:31 | [VariableDeclarator] y = <Ba ... llo" /> | tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | semmle.order | 2 |
+| tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | file://:0:0:0:0 | (Attributes) | semmle.label | 2 |
+| tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | file://:0:0:0:0 | (Attributes) | semmle.order | 2 |
+| tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | tstest.tsx:11:12:11:14 | [VarRef] Bar | semmle.label | 0 |
+| tstest.tsx:11:11:11:31 | [JsxElement] <Bar a ... llo" /> | tstest.tsx:11:12:11:14 | [VarRef] Bar | semmle.order | 0 |
+| tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | tstest.tsx:11:20:11:20 | [Label] b | semmle.label | 1 |
+| tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | tstest.tsx:11:20:11:20 | [Label] b | semmle.order | 1 |
+| tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | tstest.tsx:11:22:11:28 | [Literal] "hello" | semmle.label | 2 |
+| tstest.tsx:11:16:11:28 | [JsxAttribute] a : b="hello" | tstest.tsx:11:22:11:28 | [Literal] "hello" | semmle.order | 2 |
+| tstest.tsx:13:1:15:1 | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } | tstest.tsx:13:11:13:18 | [Identifier] BarProps | semmle.label | 1 |
+| tstest.tsx:13:1:15:1 | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } | tstest.tsx:13:11:13:18 | [Identifier] BarProps | semmle.order | 1 |
+| tstest.tsx:13:1:15:1 | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } | tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | semmle.label | 2 |
+| tstest.tsx:13:1:15:1 | [InterfaceDeclaration,TypeDefinition] interfa ... ring; } | tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | semmle.order | 2 |
+| tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | tstest.tsx:14:5:14:9 | [Literal] "a:b" | semmle.label | 1 |
+| tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | tstest.tsx:14:5:14:9 | [Literal] "a:b" | semmle.order | 1 |
+| tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | tstest.tsx:14:12:14:17 | [KeywordTypeExpr] string | semmle.label | 2 |
+| tstest.tsx:14:5:14:18 | [FieldDeclaration] "a:b": string; | tstest.tsx:14:12:14:17 | [KeywordTypeExpr] string | semmle.order | 2 |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | tstest.tsx:17:10:17:12 | [VarDecl] Bar | semmle.label | 0 |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | tstest.tsx:17:10:17:12 | [VarDecl] Bar | semmle.order | 0 |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | tstest.tsx:17:31:19:1 | [BlockStmt] { r ... div>; } | semmle.label | 5 |
+| tstest.tsx:17:1:19:1 | [FunctionDeclStmt] functio ... div>; } | tstest.tsx:17:31:19:1 | [BlockStmt] { r ... div>; } | semmle.order | 5 |
+| tstest.tsx:17:14:17:18 | [SimpleParameter] props | tstest.tsx:17:21:17:28 | [LocalTypeAccess] BarProps | semmle.label | -2 |
+| tstest.tsx:17:14:17:18 | [SimpleParameter] props | tstest.tsx:17:21:17:28 | [LocalTypeAccess] BarProps | semmle.order | -2 |
+| tstest.tsx:17:31:19:1 | [BlockStmt] { r ... div>; } | tstest.tsx:18:5:18:37 | [ReturnStmt] return ... </div>; | semmle.label | 1 |
+| tstest.tsx:17:31:19:1 | [BlockStmt] { r ... div>; } | tstest.tsx:18:5:18:37 | [ReturnStmt] return ... </div>; | semmle.order | 1 |
+| tstest.tsx:18:5:18:37 | [ReturnStmt] return ... </div>; | tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | semmle.label | 1 |
+| tstest.tsx:18:5:18:37 | [ReturnStmt] return ... </div>; | tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | semmle.order | 1 |
+| tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | file://:0:0:0:0 | (Body) | semmle.label | 1 |
+| tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | file://:0:0:0:0 | (Body) | semmle.order | 1 |
+| tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | tstest.tsx:18:13:18:15 | [Label] div | semmle.label | 0 |
+| tstest.tsx:18:12:18:36 | [JsxElement] <div>{p ... }</div> | tstest.tsx:18:13:18:15 | [Label] div | semmle.order | 0 |
+| tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | tstest.tsx:18:18:18:22 | [VarRef] props | semmle.label | 1 |
+| tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | tstest.tsx:18:18:18:22 | [VarRef] props | semmle.order | 1 |
+| tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | tstest.tsx:18:24:18:28 | [Literal] "a:b" | semmle.label | 2 |
+| tstest.tsx:18:18:18:29 | [IndexExpr] props["a:b"] | tstest.tsx:18:24:18:28 | [Literal] "a:b" | semmle.order | 2 |
 graphProperties
 | semmle.graphKind | tree |
--- a/javascript/ql/test/library-tests/JSX/tests.expected
+++ b/javascript/ql/test/library-tests/JSX/tests.expected
@@ -3,6 +3,7 @@ htmlElements
 | tst.js:6:1:6:10 | <Foo-Bar/> |
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> |
 | tstest.tsx:6:1:6:10 | <Foo-Bar/> |
+| tstest.tsx:18:12:18:36 | <div>{p ... }</div> |
 jsxElementAttribute
 | tst.js:3:1:3:106 | <a href ... */}</a> | 0 | tst.js:3:4:3:14 | href={href} |
 | tst.js:3:1:3:106 | <a href ... */}</a> | 1 | tst.js:3:16:3:30 | target="_blank" |
@@ -12,6 +13,8 @@ jsxElementAttribute
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 1 | tstest.tsx:3:16:3:30 | target="_blank" |
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 2 | tstest.tsx:3:32:3:45 | {...linkTypes} |
 | tstest.tsx:4:1:4:35 | <MyComp ... "bar"/> | 0 | tstest.tsx:4:25:4:33 | foo="bar" |
+| tstest.tsx:10:11:10:29 | <Bar a:b="hello" /> | 0 | tstest.tsx:10:16:10:26 | a:b="hello" |
+| tstest.tsx:11:11:11:31 | <Bar a  ... llo" /> | 0 | tstest.tsx:11:16:11:28 | a : b="hello" |
 jsxElementAttributeName
 | tst.js:3:1:3:106 | <a href ... */}</a> | 0 | href |
 | tst.js:3:1:3:106 | <a href ... */}</a> | 1 | target |
@@ -19,6 +22,8 @@ jsxElementAttributeName
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 0 | href |
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 1 | target |
 | tstest.tsx:4:1:4:35 | <MyComp ... "bar"/> | 0 | foo |
+| tstest.tsx:10:11:10:29 | <Bar a:b="hello" /> | 0 | b |
+| tstest.tsx:11:11:11:31 | <Bar a  ... llo" /> | 0 | b |
 jsxElementBody
 | tst.js:3:1:3:106 | <a href ... */}</a> | 0 | tst.js:3:47:3:54 | Link to  |
 | tst.js:3:1:3:106 | <a href ... */}</a> | 1 | tst.js:3:56:3:59 | href |
@@ -28,6 +33,7 @@ jsxElementBody
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 1 | tstest.tsx:3:56:3:59 | href |
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 2 | tstest.tsx:3:61:3:62 | .  |
 | tstest.tsx:3:1:3:106 | <a href ... */}</a> | 3 | tstest.tsx:3:63:3:102 | {/*TODO ... text*/} |
+| tstest.tsx:18:12:18:36 | <div>{p ... }</div> | 0 | tstest.tsx:18:18:18:29 | props["a:b"] |
 jsxElementName
 | tst.js:3:1:3:106 | <a href ... */}</a> | tst.js:3:2:3:2 | a | a |
 | tst.js:4:1:4:35 | <MyComp ... "bar"/> | tst.js:4:2:4:23 | MyCompo ... ncyLink | MyComponents.FancyLink |
@@ -39,6 +45,9 @@ jsxElementName
 | tstest.tsx:5:1:5:6 | <Foo/> | tstest.tsx:5:2:5:4 | Foo | Foo |
 | tstest.tsx:6:1:6:10 | <Foo-Bar/> | tstest.tsx:6:2:6:8 | Foo-Bar | Foo-Bar |
 | tstest.tsx:7:33:7:38 | <Foo/> | tstest.tsx:7:34:7:36 | Foo | Foo |
+| tstest.tsx:10:11:10:29 | <Bar a:b="hello" /> | tstest.tsx:10:12:10:14 | Bar | Bar |
+| tstest.tsx:11:11:11:31 | <Bar a  ... llo" /> | tstest.tsx:11:12:11:14 | Bar | Bar |
+| tstest.tsx:18:12:18:36 | <div>{p ... }</div> | tstest.tsx:18:13:18:15 | div | div |
 jsxFragments
 | tst.js:7:16:7:52 | <> frag ... ext </> | 0 | tst.js:7:18:7:32 |  fragment text  |
 | tst.js:7:16:7:52 | <> frag ... ext </> | 1 | tst.js:7:33:7:38 | <Foo/> |
--- a/javascript/ql/test/library-tests/JSX/tstest.tsx
+++ b/javascript/ql/test/library-tests/JSX/tstest.tsx
@@ -5,3 +5,15 @@ var linkTypes = { rel: "noopener noreferrer" };
 <Foo/>;     // interpreted as a custom component because of capitalisation
 <Foo-Bar/>; // interpreted as an HTML element because of the dash
 var fragment = <> fragment text <Foo/> more text </>
+
+// Both of these are equivalent:
+const x = <Bar a:b="hello" />;
+const y = <Bar a : b="hello" />;
+
+interface BarProps {
+    "a:b": string;
+}
+
+function Bar(props: BarProps) {
+    return <div>{props["a:b"]}</div>;
+}
--- a/javascript/ql/test/library-tests/frameworks/ReactJS/ReactName.qll
+++ b/javascript/ql/test/library-tests/frameworks/ReactJS/ReactName.qll
@@ -15,6 +15,3 @@ query predicate test_JSXname(JsxElement element, JsxName jsxname, string name, s
 }

 query ThisExpr test_JsxName_this(JsxElement element) { result.getParentExpr+() = element }
-
-/** DEPRECATED: Alias for test_JsxName_this */
-deprecated ThisExpr test_JSXName_this(JSXElement element) { result = test_JsxName_this(element) }
--- a/javascript/ql/test/qlpack.yml
+++ b/javascript/ql/test/qlpack.yml
@@ -5,6 +5,4 @@ dependencies:
  codeql/javascript-queries: ${workspace}
 extractor: javascript
 tests: .
-dataExtensions:
-  - library-tests/DataExtensions/*.model.yml
 warnOnImplicitThis: true
--- a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js
+++ b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js
@@ -55,23 +55,23 @@ function emptyAlt3(x) {
 }

 function search(x) {
-  return x.search(/[a-z]*/); // NOT OK
+  return x.search(/[a-z]*/) > -1; // NOT OK
 }

 function search2(x) {
-  return x.search(/[a-z]/); // OK
+  return x.search(/[a-z]/) > -1; // OK
 }

 function lookahead(x) {
-  return x.search(/(?!x)/); // OK
+  return x.search(/(?!x)/) > -1; // OK
 }

 function searchPrefix(x) {
-  return x.search(/^(foo)?/); // NOT OK - `foo?` does not affect the returned index
+  return x.search(/^(foo)?/) > -1; // NOT OK - `foo?` does not affect the returned index
 }

 function searchSuffix(x) {
-  return x.search(/(foo)?$/); // OK - `foo?` affects the returned index
+  return x.search(/(foo)?$/) > -1; // OK - `foo?` affects the returned index
 }

 function wordBoundary(x) {
--- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.expected
@@ -49,7 +49,7 @@
 | tst-UnanchoredUrlRegExp.js:8:47:8:90 | "(https ... e.com)" | This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end. |
 | tst-UnanchoredUrlRegExp.js:10:2:10:22 | /https? ... od.com/ | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
 | tst-UnanchoredUrlRegExp.js:11:13:11:31 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
-| tst-UnanchoredUrlRegExp.js:13:44:13:62 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
+| tst-UnanchoredUrlRegExp.js:13:48:13:66 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
 | tst-UnanchoredUrlRegExp.js:15:13:15:31 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
 | tst-UnanchoredUrlRegExp.js:19:47:19:65 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
 | tst-UnanchoredUrlRegExp.js:20:47:20:70 | "https? ... m:8080" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
--- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js
@@ -10,7 +10,7 @@
 	/https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // NOT OK
 	new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // NOT OK

-	"http://evil.com/?http://good.com".search("https?://good.com"); // NOT OK
+	if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // NOT OK

 	new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // NOT OK

--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
@@ -37,6 +37,6 @@ edges
 | typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
 | typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
 #select
-| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value |
-| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
-| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
+| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query object depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value |
+| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
+| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -27,7 +27,7 @@
 | mongoose.js:63:2:63:34 | Documen ... then(X) |
 | mongoose.js:65:2:65:51 | Documen ... on(){}) |
 | mongoose.js:67:2:68:27 | new Mon ... on(){}) |
-| mongoose.js:71:5:78:9 | Documen ... .exec() |
+| mongoose.js:71:2:78:9 | Documen ... .exec() |
 | mongoose.js:85:2:85:52 | Documen ... query)) |
 | mongoose.js:86:2:86:52 | Documen ... query)) |
 | mongoose.js:87:2:87:57 | Documen ... query)) |
@@ -42,6 +42,8 @@
 | mongoose.js:97:2:97:52 | Documen ... query)) |
 | mongoose.js:99:2:99:50 | Documen ... query)) |
 | mongoose.js:113:2:113:53 | Documen ... () { }) |
+| mongoose.js:134:3:134:52 | Documen ... on(){}) |
+| mongoose.js:136:3:136:52 | Documen ... on(){}) |
 | mysql.js:8:9:11:47 | connect ... ds) {}) |
 | mysql.js:14:9:16:47 | connect ... ds) {}) |
 | mysql.js:19:9:20:48 | connect ... ds) {}) |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -174,38 +174,38 @@ nodes
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title |
 | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:29:16:29:20 | query |
-| mongoose.js:20:11:20:20 | query |
-| mongoose.js:20:19:20:20 | {} |
-| mongoose.js:21:19:21:26 | req.body |
-| mongoose.js:21:19:21:26 | req.body |
-| mongoose.js:21:19:21:32 | req.body.title |
-| mongoose.js:24:24:24:30 | [query] |
-| mongoose.js:24:24:24:30 | [query] |
-| mongoose.js:24:25:24:29 | query |
-| mongoose.js:27:20:27:24 | query |
-| mongoose.js:27:20:27:24 | query |
-| mongoose.js:30:25:30:29 | query |
-| mongoose.js:30:25:30:29 | query |
-| mongoose.js:33:24:33:28 | query |
-| mongoose.js:33:24:33:28 | query |
-| mongoose.js:36:31:36:35 | query |
-| mongoose.js:36:31:36:35 | query |
-| mongoose.js:39:19:39:23 | query |
-| mongoose.js:39:19:39:23 | query |
-| mongoose.js:42:22:42:26 | query |
-| mongoose.js:42:22:42:26 | query |
-| mongoose.js:45:31:45:35 | query |
-| mongoose.js:45:31:45:35 | query |
-| mongoose.js:48:31:48:35 | query |
-| mongoose.js:48:31:48:35 | query |
-| mongoose.js:51:31:51:35 | query |
-| mongoose.js:51:31:51:35 | query |
-| mongoose.js:54:25:54:29 | query |
-| mongoose.js:54:25:54:29 | query |
-| mongoose.js:57:21:57:25 | query |
-| mongoose.js:57:21:57:25 | query |
-| mongoose.js:60:25:60:29 | query |
-| mongoose.js:60:25:60:29 | query |
+| mongoose.js:20:8:20:17 | query |
+| mongoose.js:20:16:20:17 | {} |
+| mongoose.js:21:16:21:23 | req.body |
+| mongoose.js:21:16:21:23 | req.body |
+| mongoose.js:21:16:21:29 | req.body.title |
+| mongoose.js:24:21:24:27 | [query] |
+| mongoose.js:24:21:24:27 | [query] |
+| mongoose.js:24:22:24:26 | query |
+| mongoose.js:27:17:27:21 | query |
+| mongoose.js:27:17:27:21 | query |
+| mongoose.js:30:22:30:26 | query |
+| mongoose.js:30:22:30:26 | query |
+| mongoose.js:33:21:33:25 | query |
+| mongoose.js:33:21:33:25 | query |
+| mongoose.js:36:28:36:32 | query |
+| mongoose.js:36:28:36:32 | query |
+| mongoose.js:39:16:39:20 | query |
+| mongoose.js:39:16:39:20 | query |
+| mongoose.js:42:19:42:23 | query |
+| mongoose.js:42:19:42:23 | query |
+| mongoose.js:45:28:45:32 | query |
+| mongoose.js:45:28:45:32 | query |
+| mongoose.js:48:28:48:32 | query |
+| mongoose.js:48:28:48:32 | query |
+| mongoose.js:51:28:51:32 | query |
+| mongoose.js:51:28:51:32 | query |
+| mongoose.js:54:22:54:26 | query |
+| mongoose.js:54:22:54:26 | query |
+| mongoose.js:57:18:57:22 | query |
+| mongoose.js:57:18:57:22 | query |
+| mongoose.js:60:22:60:26 | query |
+| mongoose.js:60:22:60:26 | query |
 | mongoose.js:63:21:63:25 | query |
 | mongoose.js:63:21:63:25 | query |
 | mongoose.js:65:32:65:36 | query |
@@ -214,10 +214,10 @@ nodes
 | mongoose.js:67:27:67:31 | query |
 | mongoose.js:68:8:68:12 | query |
 | mongoose.js:68:8:68:12 | query |
-| mongoose.js:71:20:71:24 | query |
-| mongoose.js:71:20:71:24 | query |
-| mongoose.js:72:16:72:20 | query |
-| mongoose.js:72:16:72:20 | query |
+| mongoose.js:71:17:71:21 | query |
+| mongoose.js:71:17:71:21 | query |
+| mongoose.js:72:10:72:14 | query |
+| mongoose.js:72:10:72:14 | query |
 | mongoose.js:73:8:73:12 | query |
 | mongoose.js:73:8:73:12 | query |
 | mongoose.js:74:7:74:11 | query |
@@ -283,6 +283,8 @@ nodes
 | mongoose.js:130:16:130:26 | { _id: id } |
 | mongoose.js:130:16:130:26 | { _id: id } |
 | mongoose.js:130:23:130:24 | id |
+| mongoose.js:136:30:136:34 | query |
+| mongoose.js:136:30:136:34 | query |
 | mongooseJsonParse.js:19:11:19:20 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} |
 | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
@@ -623,143 +625,147 @@ edges
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:24:25:24:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:27:20:27:24 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:27:20:27:24 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:30:25:30:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:30:25:30:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:33:24:33:28 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:33:24:33:28 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:36:31:36:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:36:31:36:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:39:19:39:23 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:39:19:39:23 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:42:22:42:26 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:42:22:42:26 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:45:31:45:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:45:31:45:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:48:31:48:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:48:31:48:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:51:31:51:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:51:31:51:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:54:25:54:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:54:25:54:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:57:21:57:25 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:57:21:57:25 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:63:21:63:25 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:63:21:63:25 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:71:20:71:24 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:71:20:71:24 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:72:16:72:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:72:16:72:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:73:8:73:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:73:8:73:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:74:7:74:11 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:74:7:74:11 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:75:16:75:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:75:16:75:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:77:10:77:14 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:77:10:77:14 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:82:46:82:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:82:46:82:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:83:47:83:51 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:83:47:83:51 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:85:46:85:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:85:46:85:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:87:51:87:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:87:51:87:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:89:46:89:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:89:46:89:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:92:46:92:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:92:46:92:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:94:51:94:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:94:51:94:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:96:46:96:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:96:46:96:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:111:14:111:18 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:111:14:111:18 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:113:31:113:35 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:113:31:113:35 | query |
-| mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query |
-| mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
-| mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:20:11:20:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:20:19:20:20 | {} |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:24:25:24:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:27:20:27:24 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:27:20:27:24 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:30:25:30:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:30:25:30:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:33:24:33:28 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:33:24:33:28 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:36:31:36:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:36:31:36:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:39:19:39:23 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:39:19:39:23 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:42:22:42:26 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:42:22:42:26 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:45:31:45:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:45:31:45:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:48:31:48:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:48:31:48:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:51:31:51:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:51:31:51:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:54:25:54:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:54:25:54:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:57:21:57:25 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:57:21:57:25 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:21:63:25 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:21:63:25 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:71:20:71:24 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:71:20:71:24 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:16:72:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:16:72:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:8:73:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:8:73:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:7:74:11 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:7:74:11 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:75:16:75:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:75:16:75:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:77:10:77:14 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:77:10:77:14 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:82:46:82:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:82:46:82:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:83:47:83:51 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:83:47:83:51 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:85:46:85:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:85:46:85:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:87:51:87:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:87:51:87:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:89:46:89:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:89:46:89:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:92:46:92:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:92:46:92:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:94:51:94:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:94:51:94:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:96:46:96:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:96:46:96:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:111:14:111:18 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:111:14:111:18 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:113:31:113:35 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:113:31:113:35 | query |
-| mongoose.js:24:25:24:29 | query | mongoose.js:24:24:24:30 | [query] |
-| mongoose.js:24:25:24:29 | query | mongoose.js:24:24:24:30 | [query] |
+| mongoose.js:20:8:20:17 | query | mongoose.js:24:22:24:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:27:17:27:21 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:27:17:27:21 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:30:22:30:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:30:22:30:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:33:21:33:25 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:33:21:33:25 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:36:28:36:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:36:28:36:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:39:16:39:20 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:39:16:39:20 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:42:19:42:23 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:42:19:42:23 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:45:28:45:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:45:28:45:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:48:28:48:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:48:28:48:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:51:28:51:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:51:28:51:32 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:54:22:54:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:54:22:54:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:57:18:57:22 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:57:18:57:22 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:60:22:60:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:60:22:60:26 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:63:21:63:25 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:63:21:63:25 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:65:32:65:36 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:65:32:65:36 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:67:27:67:31 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:67:27:67:31 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:68:8:68:12 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:68:8:68:12 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:71:17:71:21 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:71:17:71:21 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:72:10:72:14 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:72:10:72:14 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:73:8:73:12 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:73:8:73:12 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:74:7:74:11 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:74:7:74:11 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:75:16:75:20 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:75:16:75:20 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:77:10:77:14 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:77:10:77:14 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:82:46:82:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:82:46:82:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:83:47:83:51 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:83:47:83:51 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:85:46:85:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:85:46:85:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:87:51:87:55 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:87:51:87:55 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:89:46:89:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:89:46:89:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:92:46:92:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:92:46:92:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:94:51:94:55 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:94:51:94:55 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:96:46:96:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:96:46:96:50 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:111:14:111:18 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:111:14:111:18 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:113:31:113:35 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:113:31:113:35 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:136:30:136:34 | query |
+| mongoose.js:20:8:20:17 | query | mongoose.js:136:30:136:34 | query |
+| mongoose.js:20:16:20:17 | {} | mongoose.js:20:8:20:17 | query |
+| mongoose.js:21:16:21:23 | req.body | mongoose.js:21:16:21:29 | req.body.title |
+| mongoose.js:21:16:21:23 | req.body | mongoose.js:21:16:21:29 | req.body.title |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:8:20:17 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:16:20:17 | {} |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:24:22:24:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:17:27:21 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:17:27:21 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:30:22:30:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:30:22:30:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:21:33:25 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:21:33:25 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:36:28:36:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:36:28:36:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:16:39:20 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:16:39:20 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:42:19:42:23 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:42:19:42:23 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:28:45:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:28:45:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:48:28:48:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:48:28:48:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:28:51:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:28:51:32 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:22:54:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:22:54:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:18:57:22 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:18:57:22 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:22:60:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:22:60:26 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:21:63:25 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:21:63:25 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:65:32:65:36 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:65:32:65:36 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:27:67:31 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:27:67:31 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:8:68:12 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:8:68:12 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:17:71:21 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:17:71:21 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:72:10:72:14 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:72:10:72:14 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:8:73:12 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:8:73:12 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:74:7:74:11 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:74:7:74:11 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:16:75:20 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:16:75:20 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:77:10:77:14 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:77:10:77:14 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:82:46:82:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:82:46:82:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:83:47:83:51 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:83:47:83:51 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:85:46:85:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:85:46:85:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:87:51:87:55 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:87:51:87:55 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:89:46:89:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:89:46:89:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:92:46:92:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:92:46:92:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:94:51:94:55 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:94:51:94:55 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:96:46:96:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:96:46:96:50 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:111:14:111:18 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:111:14:111:18 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:113:31:113:35 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:113:31:113:35 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:136:30:136:34 | query |
+| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:136:30:136:34 | query |
+| mongoose.js:24:22:24:26 | query | mongoose.js:24:21:24:27 | [query] |
+| mongoose.js:24:22:24:26 | query | mongoose.js:24:21:24:27 | [query] |
 | mongoose.js:115:6:115:22 | id | mongoose.js:123:20:123:21 | id |
 | mongoose.js:115:6:115:22 | id | mongoose.js:123:20:123:21 | id |
 | mongoose.js:115:6:115:22 | id | mongoose.js:130:23:130:24 | id |
@@ -928,128 +934,129 @@ edges
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 #select
-| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | This query depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value |
-| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value |
-| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value |
-| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value |
-| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value |
-| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value |
-| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value |
-| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value |
-| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value |
-| graphql.js:84:14:90:8 | `{\\n     ...      }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n     ...      }` | This query depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value |
-| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query depends on a $@. | graphql.js:119:16:119:28 | req.params.id | user-provided value |
-| html-sanitizer.js:16:9:16:59 | `SELECT ...  param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ...  param1 | This query depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value |
-| json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value |
-| json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value |
-| json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
-| json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
-| json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
-| ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
-| ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
-| ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
-| ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
-| marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value |
-| marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value |
-| minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value |
-| mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value |
-| mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query depends on a $@. | mongodb.js:26:19:26:26 | req.body | user-provided value |
-| mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query depends on a $@. | mongodb.js:49:19:49:33 | req.query.title | user-provided value |
-| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query depends on a $@. | mongodb.js:60:16:60:30 | req.query.title | user-provided value |
-| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value |
-| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value |
-| mongodb.js:112:14:112:18 | query | mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | This query depends on a $@. | mongodb.js:107:17:107:29 | queries.title | user-provided value |
-| mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value |
-| mongoose.js:24:24:24:30 | [query] | mongoose.js:21:19:21:26 | req.body | mongoose.js:24:24:24:30 | [query] | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:27:20:27:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:27:20:27:24 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:30:25:30:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:30:25:30:29 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:33:24:33:28 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:33:24:33:28 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:36:31:36:35 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:36:31:36:35 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:39:19:39:23 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:39:19:39:23 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:42:22:42:26 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:42:22:42:26 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:45:31:45:35 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:45:31:45:35 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:48:31:48:35 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:48:31:48:35 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:51:31:51:35 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:51:31:51:35 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:54:25:54:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:54:25:54:29 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:57:21:57:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:57:21:57:25 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:60:25:60:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:60:25:60:29 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:63:21:63:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:21:63:25 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:65:32:65:36 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:65:32:65:36 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:67:27:67:31 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:67:27:67:31 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:68:8:68:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:68:8:68:12 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:71:20:71:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:71:20:71:24 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:72:16:72:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:72:16:72:20 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:73:8:73:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:73:8:73:12 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:74:7:74:11 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:74:7:74:11 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:75:16:75:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:75:16:75:20 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:77:10:77:14 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:77:10:77:14 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:82:46:82:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:82:46:82:50 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:83:47:83:51 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:83:47:83:51 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:85:46:85:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:85:46:85:50 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:87:51:87:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:87:51:87:55 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:89:46:89:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:89:46:89:50 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:92:46:92:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:92:46:92:50 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:94:51:94:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:94:51:94:55 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:96:46:96:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:96:46:96:50 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:111:14:111:18 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:111:14:111:18 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:113:31:113:35 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:113:31:113:35 | query | This query depends on a $@. | mongoose.js:21:19:21:26 | req.body | user-provided value |
-| mongoose.js:116:22:116:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:116:22:116:25 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:117:21:117:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:117:21:117:24 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:118:21:118:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:118:21:118:24 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:119:18:119:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:119:18:119:21 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:120:22:120:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:120:22:120:25 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:121:16:121:19 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:121:16:121:19 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:122:19:122:22 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:122:19:122:22 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:123:20:123:21 | id | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:123:20:123:21 | id | This query depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value |
-| mongoose.js:124:28:124:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:124:28:124:31 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:125:28:125:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:125:28:125:31 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:126:28:126:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:126:28:126:31 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:127:18:127:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:127:18:127:21 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:128:22:128:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:128:22:128:25 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:129:21:129:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:129:21:129:24 | cond | This query depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
-| mongoose.js:130:16:130:26 | { _id: id } | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:130:16:130:26 | { _id: id } | This query depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value |
-| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value |
-| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on a $@. | mongooseModelClient.js:10:22:10:29 | req.body | user-provided value |
-| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on a $@. | mongooseModelClient.js:12:22:12:29 | req.body | user-provided value |
-| mysql.js:15:18:15:65 | 'SELECT ...  + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ...  + temp | This query depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value |
-| mysql.js:19:26:19:73 | 'SELECT ...  + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:19:26:19:73 | 'SELECT ...  + temp | This query depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value |
-| pg-promise-types.ts:8:17:8:21 | taint | pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:8:17:8:21 | taint | This query depends on a $@. | pg-promise-types.ts:7:17:7:28 | req.params.x | user-provided value |
-| pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:11:17:11:21 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:11:17:11:21 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:12:10:12:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:12:10:12:14 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:13:12:13:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:13:12:13:16 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:14:18:14:22 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:14:18:14:22 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:15:11:15:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:15:11:15:15 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:16:10:16:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:16:10:16:14 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:17:16:17:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:17:16:17:20 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:18:12:18:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:18:12:18:16 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:19:13:19:17 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:19:13:19:17 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:22:11:22:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:22:11:22:15 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | This query depends on a $@. | pg-promise.js:30:13:30:25 | req.params.id | user-provided value |
-| pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | This query depends on a $@. | pg-promise.js:34:13:34:25 | req.params.id | user-provided value |
-| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value |
-| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value |
-| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query depends on a $@. | pg-promise.js:41:7:41:20 | req.params.foo | user-provided value |
-| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | This query depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value |
-| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | This query depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value |
-| pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | This query depends on a $@. | pg-promise.js:47:11:47:23 | req.params.id | user-provided value |
-| pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | This query depends on a $@. | pg-promise.js:54:11:54:23 | req.params.id | user-provided value |
-| pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | This query depends on a $@. | pg-promise.js:56:14:56:29 | req.params.title | user-provided value |
-| pg-promise.js:60:20:60:24 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:60:20:60:24 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:63:23:63:27 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:63:23:63:27 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| pg-promise.js:64:16:64:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:64:16:64:20 | query | This query depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
-| redis.js:10:16:10:27 | req.body.key | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | This query depends on a $@. | redis.js:10:16:10:23 | req.body | user-provided value |
-| redis.js:18:16:18:18 | key | redis.js:12:15:12:22 | req.body | redis.js:18:16:18:18 | key | This query depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
-| redis.js:19:43:19:45 | key | redis.js:12:15:12:22 | req.body | redis.js:19:43:19:45 | key | This query depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
-| redis.js:25:14:25:16 | key | redis.js:12:15:12:22 | req.body | redis.js:25:14:25:16 | key | This query depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
-| redis.js:30:23:30:25 | key | redis.js:12:15:12:22 | req.body | redis.js:30:23:30:25 | key | This query depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
-| redis.js:32:28:32:30 | key | redis.js:12:15:12:22 | req.body | redis.js:32:28:32:30 | key | This query depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
-| redis.js:39:16:39:18 | key | redis.js:38:17:38:24 | req.body | redis.js:39:16:39:18 | key | This query depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value |
-| redis.js:43:27:43:29 | key | redis.js:38:17:38:24 | req.body | redis.js:43:27:43:29 | key | This query depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value |
-| redis.js:46:34:46:36 | key | redis.js:38:17:38:24 | req.body | redis.js:46:34:46:36 | key | This query depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value |
-| socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query depends on a $@. | socketio.js:10:25:10:30 | handle | user-provided value |
-| tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query depends on a $@. | tst2.js:9:66:9:78 | req.params.id | user-provided value |
-| tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query depends on a $@. | tst3.js:8:16:8:34 | req.params.category | user-provided value |
-| tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value |
-| tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value |
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value |
+| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value |
+| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value |
+| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value |
+| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value |
+| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value |
+| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value |
+| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n     ...      }` | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value |
+| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:119:16:119:28 | req.params.id | user-provided value |
+| html-sanitizer.js:16:9:16:59 | `SELECT ...  param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ...  param1 | This query string depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value |
+| json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value |
+| json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value |
+| json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
+| json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
+| json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
+| ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
+| ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
+| ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
+| ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
+| marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value |
+| marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value |
+| minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value |
+| mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value |
+| mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:26:19:26:26 | req.body | user-provided value |
+| mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query object depends on a $@. | mongodb.js:49:19:49:33 | req.query.title | user-provided value |
+| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query object depends on a $@. | mongodb.js:60:16:60:30 | req.query.title | user-provided value |
+| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value |
+| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value |
+| mongodb.js:112:14:112:18 | query | mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | This query object depends on a $@. | mongodb.js:107:17:107:29 | queries.title | user-provided value |
+| mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value |
+| mongoose.js:24:21:24:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:24:21:24:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:27:17:27:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:17:27:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:30:22:30:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:30:22:30:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:33:21:33:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:21:33:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:36:28:36:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:36:28:36:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:39:16:39:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:16:39:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:42:19:42:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:42:19:42:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:45:28:45:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:28:45:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:48:28:48:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:48:28:48:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:51:28:51:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:28:51:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:54:22:54:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:22:54:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:57:18:57:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:18:57:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:60:22:60:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:22:60:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:63:21:63:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:21:63:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:65:32:65:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:65:32:65:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:67:27:67:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:67:27:67:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:68:8:68:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:8:68:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:71:17:71:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:17:71:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:72:10:72:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:72:10:72:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:73:8:73:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:8:73:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:74:7:74:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:74:7:74:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:75:16:75:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:16:75:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:77:10:77:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:77:10:77:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:82:46:82:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:82:46:82:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:83:47:83:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:83:47:83:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:85:46:85:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:85:46:85:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:87:51:87:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:87:51:87:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:89:46:89:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:89:46:89:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:92:46:92:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:92:46:92:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:94:51:94:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:94:51:94:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:96:46:96:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:96:46:96:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:111:14:111:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:111:14:111:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:113:31:113:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:113:31:113:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongoose.js:116:22:116:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:116:22:116:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:117:21:117:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:117:21:117:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:118:21:118:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:118:21:118:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:119:18:119:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:119:18:119:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:120:22:120:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:120:22:120:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:121:16:121:19 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:121:16:121:19 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:122:19:122:22 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:122:19:122:22 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:123:20:123:21 | id | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:123:20:123:21 | id | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value |
+| mongoose.js:124:28:124:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:124:28:124:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:125:28:125:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:125:28:125:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:126:28:126:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:126:28:126:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:127:18:127:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:127:18:127:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:128:22:128:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:128:22:128:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:129:21:129:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:129:21:129:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value |
+| mongoose.js:130:16:130:26 | { _id: id } | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:130:16:130:26 | { _id: id } | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value |
+| mongoose.js:136:30:136:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:136:30:136:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value |
+| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value |
+| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query object depends on a $@. | mongooseModelClient.js:10:22:10:29 | req.body | user-provided value |
+| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query object depends on a $@. | mongooseModelClient.js:12:22:12:29 | req.body | user-provided value |
+| mysql.js:15:18:15:65 | 'SELECT ...  + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ...  + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value |
+| mysql.js:19:26:19:73 | 'SELECT ...  + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:19:26:19:73 | 'SELECT ...  + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value |
+| pg-promise-types.ts:8:17:8:21 | taint | pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:8:17:8:21 | taint | This query string depends on a $@. | pg-promise-types.ts:7:17:7:28 | req.params.x | user-provided value |
+| pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:11:17:11:21 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:11:17:11:21 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:12:10:12:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:12:10:12:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:13:12:13:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:13:12:13:16 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:14:18:14:22 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:14:18:14:22 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:15:11:15:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:15:11:15:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:16:10:16:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:16:10:16:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:17:16:17:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:17:16:17:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:18:12:18:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:18:12:18:16 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:19:13:19:17 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:19:13:19:17 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:22:11:22:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:22:11:22:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | This query string depends on a $@. | pg-promise.js:30:13:30:25 | req.params.id | user-provided value |
+| pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | This query string depends on a $@. | pg-promise.js:34:13:34:25 | req.params.id | user-provided value |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query string depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query string depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query string depends on a $@. | pg-promise.js:41:7:41:20 | req.params.foo | user-provided value |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | This query string depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | This query string depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value |
+| pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | This query string depends on a $@. | pg-promise.js:47:11:47:23 | req.params.id | user-provided value |
+| pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | This query string depends on a $@. | pg-promise.js:54:11:54:23 | req.params.id | user-provided value |
+| pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | This query string depends on a $@. | pg-promise.js:56:14:56:29 | req.params.title | user-provided value |
+| pg-promise.js:60:20:60:24 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:60:20:60:24 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:63:23:63:27 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:63:23:63:27 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| pg-promise.js:64:16:64:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:64:16:64:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| redis.js:10:16:10:27 | req.body.key | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | This query object depends on a $@. | redis.js:10:16:10:23 | req.body | user-provided value |
+| redis.js:18:16:18:18 | key | redis.js:12:15:12:22 | req.body | redis.js:18:16:18:18 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
+| redis.js:19:43:19:45 | key | redis.js:12:15:12:22 | req.body | redis.js:19:43:19:45 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
+| redis.js:25:14:25:16 | key | redis.js:12:15:12:22 | req.body | redis.js:25:14:25:16 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
+| redis.js:30:23:30:25 | key | redis.js:12:15:12:22 | req.body | redis.js:30:23:30:25 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
+| redis.js:32:28:32:30 | key | redis.js:12:15:12:22 | req.body | redis.js:32:28:32:30 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
+| redis.js:39:16:39:18 | key | redis.js:38:17:38:24 | req.body | redis.js:39:16:39:18 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value |
+| redis.js:43:27:43:29 | key | redis.js:38:17:38:24 | req.body | redis.js:43:27:43:29 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value |
+| redis.js:46:34:46:36 | key | redis.js:38:17:38:24 | req.body | redis.js:46:34:46:36 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value |
+| socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query string depends on a $@. | socketio.js:10:25:10:30 | handle | user-provided value |
+| tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:9:66:9:78 | req.params.id | user-provided value |
+| tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query string depends on a $@. | tst3.js:8:16:8:34 | req.params.category | user-provided value |
+| tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query string depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value |
+| tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query string depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
@@ -9,57 +9,57 @@ const app = Express();
 app.use(BodyParser.json());

 const Document = Mongoose.model('Document', {
-    title: {
-        type: String,
-        unique: true
-    },
-    type: String
+	title: {
+		type: String,
+		unique: true
+	},
+	type: String
 });

 app.post('/documents/find', (req, res) => {
-    const query = {};
-    query.title = req.body.title;
+	const query = {};
+	query.title = req.body.title;

-    // NOT OK: query is tainted by user-provided object value
-    Document.aggregate([query]);
+	// NOT OK: query is tainted by user-provided object value
+	Document.aggregate([query]);

-    // NOT OK: query is tainted by user-provided object value
-    Document.count(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.count(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.deleteMany(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.deleteMany(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.deleteOne(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.deleteOne(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.distinct('type', query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.distinct('type', query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.find(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.find(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.findOne(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.findOne(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.findOneAndDelete(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.findOneAndDelete(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.findOneAndRemove(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.findOneAndRemove(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.findOneAndUpdate(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.findOneAndUpdate(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.replaceOne(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.replaceOne(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.update(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.update(query);

-    // NOT OK: query is tainted by user-provided object value
-    Document.updateMany(query);
+	// NOT OK: query is tainted by user-provided object value
+	Document.updateMany(query);

-    // NOT OK: query is tainted by user-provided object value
+	// NOT OK: query is tainted by user-provided object value
 	Document.updateOne(query).then(X);

 	Document.findByIdAndUpdate(X, query, function(){}); // NOT OK
@@ -68,8 +68,8 @@ app.post('/documents/find', (req, res) => {
 		.and(query, function(){}) // NOT OK
 	;

-    Document.where(query)	// NOT OK - `.where()` on a Model. 
-        .where(query)	// NOT OK - `.where()` on a Query. 
+	Document.where(query)	// NOT OK - `.where()` on a Model. 
+		.where(query)	// NOT OK - `.where()` on a Query. 
 		.and(query) // NOT OK
 		.or(query) // NOT OK
 		.distinct(X, query) // NOT OK
@@ -97,14 +97,14 @@ app.post('/documents/find', (req, res) => {
 	Document.find(X).then(Y, (err) => err.count(query)); // OK

 	Document.count(X, (err, res) => res.count(query)); // OK (res is a number)
-    
+	
 	function innocent(X, Y, query) { // To detect if API-graphs were used incorrectly.
 		return new Mongoose.Query("constant", "constant", "constant");
 	}
 	new innocent(X, Y, query);

 	function getQueryConstructor() {
-		return Mongoose.Query;
+	return Mongoose.Query;
 	}

 	var C = getQueryConstructor();
@@ -129,4 +129,10 @@ app.post('/documents/find', (req, res) => {
 	Document.updateOne(cond, Y); // NOT OK
 	Document.find({ _id: id }); // NOT OK
 	Document.find({ _id: { $eq: id } }); // OK
+
+	if (Mongoose.Types.ObjectId.isValid(query)) {
+		Document.findByIdAndUpdate(query, X, function(){}); // OK - is sanitized
+	} else {
+		Document.findByIdAndUpdate(query, X, function(){}); // NOT OK
+	}
 });
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
@@ -31,14 +31,12 @@ nodes
 | RegExpInjection.js:41:26:41:30 | input |
 | RegExpInjection.js:42:25:42:29 | input |
 | RegExpInjection.js:42:25:42:29 | input |
-| RegExpInjection.js:45:20:45:24 | input |
-| RegExpInjection.js:45:20:45:24 | input |
-| RegExpInjection.js:46:23:46:27 | input |
-| RegExpInjection.js:46:23:46:27 | input |
-| RegExpInjection.js:47:22:47:26 | input |
-| RegExpInjection.js:47:22:47:26 | input |
-| RegExpInjection.js:50:46:50:50 | input |
-| RegExpInjection.js:50:46:50:50 | input |
+| RegExpInjection.js:45:24:45:28 | input |
+| RegExpInjection.js:45:24:45:28 | input |
+| RegExpInjection.js:46:27:46:31 | input |
+| RegExpInjection.js:46:27:46:31 | input |
+| RegExpInjection.js:47:26:47:30 | input |
+| RegExpInjection.js:47:26:47:30 | input |
 | RegExpInjection.js:54:14:54:16 | key |
 | RegExpInjection.js:54:14:54:27 | key.split(".") |
 | RegExpInjection.js:54:14:54:42 | key.spl ... x => x) |
@@ -89,14 +87,12 @@ edges
 | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:41:26:41:30 | input |
 | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:42:25:42:29 | input |
 | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:42:25:42:29 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:45:20:45:24 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:45:20:45:24 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:46:23:46:27 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:46:23:46:27 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:47:22:47:26 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:47:22:47:26 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:50:46:50:50 | input |
-| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:50:46:50:50 | input |
+| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:45:24:45:28 | input |
+| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:45:24:45:28 | input |
+| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:46:27:46:31 | input |
+| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:46:27:46:31 | input |
+| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:47:26:47:30 | input |
+| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:47:26:47:30 | input |
 | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:5:31:5:56 | input |
 | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:5:31:5:56 | input |
 | RegExpInjection.js:8:31:8:33 | key | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" |
@@ -157,10 +153,9 @@ edges
 | RegExpInjection.js:40:23:40:27 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:40:23:40:27 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:41:26:41:30 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:41:26:41:30 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:42:25:42:29 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:42:25:42:29 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
-| RegExpInjection.js:45:20:45:24 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:45:20:45:24 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
-| RegExpInjection.js:46:23:46:27 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:46:23:46:27 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
-| RegExpInjection.js:47:22:47:26 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:47:22:47:26 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
-| RegExpInjection.js:50:46:50:50 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:50:46:50:50 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
+| RegExpInjection.js:45:24:45:28 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:45:24:45:28 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
+| RegExpInjection.js:46:27:46:31 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:46:27:46:31 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
+| RegExpInjection.js:47:26:47:30 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:47:26:47:30 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
 | RegExpInjection.js:64:14:64:18 | input | RegExpInjection.js:60:39:60:56 | req.param("input") | RegExpInjection.js:64:14:64:18 | input | This regular expression is constructed from a $@. | RegExpInjection.js:60:39:60:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
@@ -42,12 +42,12 @@ app.get('/findKey', function(req, res) {
  if (maybeString.match(input)) {} // NOT OK
  if (notString.match(input)) {} // OK

-  defString.search(input); // NOT OK
-  likelyString.search(input); // NOT OK
-  maybeString.search(input); // NOT OK
-  notString.search(input); // OK
+  if (defString.search(input) > -1) {} // NOT OK
+  if (likelyString.search(input) > -1) {} // NOT OK
+  if (maybeString.search(input) > -1) {} // NOT OK
+  if (notString.search(input) > -1) {} // OK

-  URI(`${protocol}://${host}${path}`).search(input); // OK, but still flagged [INCONSISTENCY]
+  URI(`${protocol}://${host}${path}`).search(input); // OK
  URI(`${protocol}://${host}${path}`).search(input).href(); // OK
  unknown.search(input).unknown; // OK

@@ -62,7 +62,7 @@ app.get('/findKey', function(req, res) {
  Search.search(input); // OK!

  new RegExp(input); // NOT OK
-  
+
  var sanitized = input.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
  new RegExp(sanitized); // OK
 });
--- a/javascript/ql/test/tutorials/Validating
+++ b/javascript/ql/test/tutorials/Validating
@@ -30,9 +30,6 @@ class OspreyCreateApiCall extends MethodCallExpr {
  }
 }

-/** DEPRECATED: Alias for OspreyCreateApiCall */
-deprecated class OspreyCreateAPICall = OspreyCreateApiCall;
-
 /** A variable in which an Osprey API object is stored. */
 class OspreyApi extends Variable {
  OspreyApi() { this.getAnAssignedExpr() instanceof OspreyCreateApiCall }
@@ -40,9 +37,6 @@ class OspreyApi extends Variable {
  File getSpecFile() { result = this.getAnAssignedExpr().(OspreyCreateApiCall).getSpecFile() }
 }

-/** DEPRECATED: Alias for OspreyApi */
-deprecated class OspreyAPI = OspreyApi;
-
 /** An Osprey REST method definition. */
 class OspreyMethodDefinition extends MethodCallExpr {
  OspreyMethodDefinition() {
@@ -54,7 +48,7 @@ class OspreyMethodDefinition extends MethodCallExpr {
  OspreyApi getApi() { this.getReceiver() = result.getAnAccess() }

  /** DEPRECATED: Alias for getApi */
-  deprecated OspreyAPI getAPI() { result = this.getApi() }
+  deprecated OspreyApi getAPI() { result = this.getApi() }

  /** Get the verb which this method implements. */
  string getVerb() { result = this.getMethodName() }
--- a/javascript/ql/test/tutorials/Validating
+++ b/javascript/ql/test/tutorials/Validating
@@ -8,9 +8,6 @@ class RamlSpec extends YamlDocument, YamlMapping {
  RamlSpec() { getLocation().getFile().getExtension() = "raml" }
 }

-/** DEPRECATED: Alias for RamlSpec */
-deprecated class RAMLSpec = RamlSpec;
-
 /** A RAML resource specification. */
 class RamlResource extends YamlMapping {
  RamlResource() {
@@ -38,9 +35,6 @@ class RamlResource extends YamlMapping {
  }
 }

-/** DEPRECATED: Alias for RamlResource */
-deprecated class RAMLResource = RamlResource;
-
 /** A RAML method specification. */
 class RamlMethod extends YamlValue {
  RamlMethod() {
@@ -57,6 +51,3 @@ class RamlMethod extends YamlValue {
    )
  }
 }
-
-/** DEPRECATED: Alias for RamlMethod */
-deprecated class RAMLMethod = RamlMethod;