From 2bf857a4bab98f55675a638601c3fafcbffb7a58 Mon Sep 17 00:00:00 2001 From: dellson-arch Date: Thu, 29 Jan 2026 18:42:37 +0530 Subject: [PATCH 1/2] doc: clarify security wording for path.isAbsolute --- doc/api/path.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/path.md b/doc/api/path.md index e5d6fd7ef68304..1d9cb49d860631 100644 --- a/doc/api/path.md +++ b/doc/api/path.md @@ -60,9 +60,9 @@ path.posix.basename('/tmp/myfile.html'); // Returns: 'myfile.html' ``` -On Windows Node.js follows the concept of per-drive working directory. +On Windows, Node.js follows the concept of per-drive working directory. This behavior can be observed when using a drive path without a backslash. For -example, `path.resolve('C:\\')` can potentially return a different result than +example, `path.resolve('C:\\')` can return a different result than `path.resolve('C:')`. For more information, see [this MSDN page][MSDN-Rel-Path]. @@ -322,7 +322,7 @@ added: v0.11.2 * Returns: {boolean} The `path.isAbsolute()` method determines if the literal `path` is absolute. -Therefore, it’s not safe for mitigating path traversals. +Therefore, it’s not safe for mitigating path traversals attacks. If the given `path` is a zero-length string, `false` will be returned. From 0b5674625d2a4330ea5f6b4663737a2b27336726 Mon Sep 17 00:00:00 2001 From: dellson-arch Date: Thu, 29 Jan 2026 18:55:53 +0530 Subject: [PATCH 2/2] doc: clarify limitations of path.isAbsolute --- doc/api/path.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/api/path.md b/doc/api/path.md index 1d9cb49d860631..8cce8bf2c56b2a 100644 --- a/doc/api/path.md +++ b/doc/api/path.md @@ -322,7 +322,8 @@ added: v0.11.2 * Returns: {boolean} The `path.isAbsolute()` method determines if the literal `path` is absolute. -Therefore, it’s not safe for mitigating path traversals attacks. +Therefore, it’s not safe for mitigating path traversals attacks. This method only checks whether a path is absolute and does not validate whether it is safe to use. + If the given `path` is a zero-length string, `false` will be returned.