From 16ead223369e7031293c9b82602c83257609422c Mon Sep 17 00:00:00 2001 From: Taejin Kim Date: Sat, 24 Jan 2026 00:05:22 +0900 Subject: [PATCH 1/2] lib: use StringPrototypeStartsWith from primordials in locks Use StringPrototypeStartsWith from primordials instead of String.prototype.startsWith to prevent prototype pollution. Refs: https://github.com/nodejs/node/issues/59699 --- lib/internal/locks.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/internal/locks.js b/lib/internal/locks.js index b3d605aa8bc79e..d2a0ce66385e85 100644 --- a/lib/internal/locks.js +++ b/lib/internal/locks.js @@ -6,6 +6,7 @@ const { PromisePrototypeThen, PromiseResolve, SafePromisePrototypeFinally, + StringPrototypeStartsWith, Symbol, SymbolToStringTag, } = primordials; @@ -159,7 +160,7 @@ class LockManager { signal.throwIfAborted(); } - if (name.startsWith('-')) { + if (StringPrototypeStartsWith(name, '-')) { // If name starts with U+002D HYPHEN-MINUS (-), then reject promise with a // "NotSupportedError" DOMException. throw lazyDOMException('Lock name may not start with hyphen', From 7176d5acfc2560ba1032385ab4f04fde0c719aa3 Mon Sep 17 00:00:00 2001 From: Taejin Kim <60560836+kimtaejin3@users.noreply.github.com> Date: Sun, 25 Jan 2026 08:01:51 +0900 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Jordan Harband --- lib/internal/locks.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/internal/locks.js b/lib/internal/locks.js index d2a0ce66385e85..e68b9f9ece0f7a 100644 --- a/lib/internal/locks.js +++ b/lib/internal/locks.js @@ -160,7 +160,7 @@ class LockManager { signal.throwIfAborted(); } - if (StringPrototypeStartsWith(name, '-')) { + if (name[0] === '-') { // If name starts with U+002D HYPHEN-MINUS (-), then reject promise with a // "NotSupportedError" DOMException. throw lazyDOMException('Lock name may not start with hyphen',