From 551a730ef33de271b4957ae4e69eb4f8fd2b0990 Mon Sep 17 00:00:00 2001
From: Poodle Glamour <github@godswood.au>
Date: Sat, 28 Mar 2026 10:43:21 +1000
Subject: [PATCH] fix: swap hasOwnProperty args in _addMatch/_removeMatch

The arguments to Object.prototype.hasOwnProperty.call() were inverted,
causing match rules to never be refcounted or cleaned up. Long-running
processes accumulate D-Bus match rules without limit.

Also update xml2js to 0.6.x to resolve prototype pollution CVE.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/bus.js   | 4 ++--
 package.json | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/bus.js b/lib/bus.js
index 277491c..40de03d 100644
--- a/lib/bus.js
+++ b/lib/bus.js
@@ -483,7 +483,7 @@ class MessageBus extends EventEmitter {
   }
 
   _addMatch (match) {
-    if (Object.prototype.hasOwnProperty.call(match, this._matchRules)) {
+    if (Object.prototype.hasOwnProperty.call(this._matchRules, match)) {
       this._matchRules[match] += 1;
       return Promise.resolve();
     }
@@ -507,7 +507,7 @@ class MessageBus extends EventEmitter {
       return Promise.resolve();
     }
 
-    if (Object.prototype.hasOwnProperty.call(match, this._matchRules)) {
+    if (Object.prototype.hasOwnProperty.call(this._matchRules, match)) {
       this._matchRules[match] -= 1;
       if (this._matchRules[match] > 0) {
         return Promise.resolve();
diff --git a/package.json b/package.json
index cc589ba..4287c23 100644
--- a/package.json
+++ b/package.json
@@ -40,7 +40,7 @@
     "long": "^4.0.0",
     "@nornagon/put": "0.0.8",
     "safe-buffer": "^5.1.1",
-    "xml2js": "^0.4.17"
+    "xml2js": "^0.6.2"
   },
   "optionalDependencies": {
     "usocket": "^1.0.1"