JS: Add model for shelljs

[asger-semmle]

After turning on full type extraction I noticed from false negatives from not modelling shelljs methods as TaintedPath sinks.

Evaluation on default.slugs is uneventful.

[xiemaisi]

LGTM, but perhaps deserves a change note, seeing how massively popular shelljs is.

Consistently using the range pattern is a little verbose, but I like how it allows for a clean model of shelljs.exec 👍

[asger-semmle]

Consistently using the range pattern is a little verbose

Yeah it might be overkill to use it twice for this model. Should we get rid of Instance and just have Member?

[ghost]

GitHub repo > npm page?

[ghost]

Suggested change

	- [shelljs](https://www.npmjs.com/package/shelljs)
	- [shelljs](https://github.com/shelljs/shelljs)

[asger-semmle]

Why are we linking to github repos instead of the NPM page, again?

[xiemaisi]

GitHub repo > npm page ?

I would say <

[ghost]

The github repository is the official definition of the package, in the absence of a proper home page (like https://socket.io has). The npm page is just derived from the repository information, and our models are not tied to npm in any way.

[xiemaisi]

The npm page looks much more useful to me, and it has a link to the github repo.

[ghost]

But this is not a matter of usefulness: it is a matter of documenting what we are doing, not how to use a package. I am fine either way, as long as we are consistent.
Should the preference be homepage > npm > repo?

[xiemaisi]

Yes, I would prefer that preference order.

[asger-semmle]

The NPM page is also the more stable link, as it's not unusual for github repos to be renamed or moved into an org as the project grows.

[xiemaisi]

Should we get rid of Instance and just have Member?

If you don't have a concrete need for it at the moment, perhaps we can simplify it for now.