diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
index f8afff17b3a..edb3f93fa1b 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
@@ -12,7 +12,23 @@ import UnsafeDeserializationCustomizations::UnsafeDeserialization
 /**
  * A taint-tracking configuration for reasoning about unsafe deserialization.
  */
-class Configuration extends TaintTracking::Configuration {
+module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for reasoning about unsafe deserialization.
+ */
+module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
+
+/**
+ * DEPRECATED. Use the `UnsafeDeserializationFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnsafeDeserialization" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
diff --git a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
index 35ae85130c9..e940ddff338 100644
--- a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -13,9 +13,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.UnsafeDeserializationQuery
-import DataFlow::PathGraph
+import UnsafeDeserializationFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink
+where UnsafeDeserializationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
index 7abe0b7f559..dbd2e399114 100644
--- a/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
@@ -1,37 +1,14 @@
-nodes
-| tst.js:13:22:13:36 | req.params.data |
-| tst.js:13:22:13:36 | req.params.data |
-| tst.js:13:22:13:36 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data |
 edges
-| tst.js:13:22:13:36 | req.params.data | tst.js:13:22:13:36 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data | tst.js:14:25:14:39 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data | tst.js:15:26:15:40 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data | tst.js:16:29:16:43 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data | tst.js:20:22:20:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data | tst.js:21:22:21:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data | tst.js:24:22:24:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data | tst.js:25:22:25:36 | req.params.data |
+nodes
+| tst.js:13:22:13:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:14:25:14:39 | req.params.data | semmle.label | req.params.data |
+| tst.js:15:26:15:40 | req.params.data | semmle.label | req.params.data |
+| tst.js:16:29:16:43 | req.params.data | semmle.label | req.params.data |
+| tst.js:20:22:20:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:21:22:21:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:24:22:24:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:25:22:25:36 | req.params.data | semmle.label | req.params.data |
+subpaths
 #select
 | tst.js:13:22:13:36 | req.params.data | tst.js:13:22:13:36 | req.params.data | tst.js:13:22:13:36 | req.params.data | Unsafe deserialization depends on a $@. | tst.js:13:22:13:36 | req.params.data | user-provided value |
 | tst.js:14:25:14:39 | req.params.data | tst.js:14:25:14:39 | req.params.data | tst.js:14:25:14:39 | req.params.data | Unsafe deserialization depends on a $@. | tst.js:14:25:14:39 | req.params.data | user-provided value |