JS: Put in same stage as RemoteFlowSource

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -312,6 +312,10 @@ module TaintTracking {
    */
   cached
   private module Cached {
+    cached predicate forceStage() {
+      Stages::Taint::ref()
+    }
+
     /**
      * Holds if `pred` → `succ` should be considered a taint-propagating
      * data flow edge, which doesn't fit into a more specific category.

javascript/ql/src/semmle/javascript/internal/CachedStages.qll

@@ -243,7 +243,7 @@ module Stages {
     predicate backref() {
       1 = 1
       or
-      any(TaintTracking::AdditionalTaintStep step).step(_, _)
+      TaintTracking::heapStep(_, _)
       or
       exists(RemoteFlowSource r)
     }