fix: swap hasOwnProperty args in _addMatch/_removeMatch

[poodle64]

Summary

_addMatch and _removeMatch in lib/bus.js have the arguments to Object.prototype.hasOwnProperty.call() inverted. The first argument should be the object to check, and the second the property name, but they are swapped:

// Before (incorrect — always returns false)
if (Object.prototype.hasOwnProperty.call(match, this._matchRules)) {

// After (correct)
if (Object.prototype.hasOwnProperty.call(this._matchRules, match)) {

Because the check always fails, match rules are never refcounted. Every _addMatch call sends an AddMatch D-Bus message and creates a new entry, and _removeMatch never decrements or removes entries. In long-running processes, this causes unbounded accumulation of D-Bus match rules.

Also bumps xml2js from ^0.4.17 to ^0.6.2 to resolve the prototype pollution CVE (CVE-2023-0842).

How to verify

1. Run a process that repeatedly adds and removes signal handlers on the same match rule.
2. Before this fix, this._matchRules grows without bound and RemoveMatch is never called.
3. After this fix, refcounting works correctly: duplicate _addMatch calls increment the count, _removeMatch decrements it, and RemoveMatch is sent when the count reaches zero.

Changes

• lib/bus.js: Swap arguments in both hasOwnProperty.call() invocations
• package.json: Bump xml2js to ^0.6.2