Holds if sink is a data-flow sink for command-injection vulnerabilities, and
the alert should be placed at the node highlight.
Import path
import semmle.javascript.security.dataflow.IndirectCommandInjectionQuerypredicate isSinkWithHighlight(Node sink, Node highlight)