diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..1f6247b
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-02-14 - Fix Prototype Pollution in label dictionary
+**Vulnerability:** The Lua parser tracked label names using standard object literals (`labels: {}`). This allowed malicious Lua code defining labels named `__proto__`, `constructor`, or `hasOwnProperty` to manipulate the object's prototype properties or crash the parser during lookups due to unexpected inherited properties, leading to Prototype Pollution / DoS.
+**Learning:** Dictionaries storing arbitrary user-defined identifiers in parsers must never be standard object literals, as they are susceptible to prototype inheritance issues when keys collide with built-ins.
+**Prevention:** Always initialize dictionaries meant to store arbitrary keys using null-prototype objects (`Object.create(null)`). Use fallback `Object.create ? Object.create(null) : {}` if very old environment support is required.
diff --git a/luaparse.js b/luaparse.js
index a6bcbac..7f60102 100644
--- a/luaparse.js
+++ b/luaparse.js
@@ -1674,7 +1674,7 @@
 
   FullFlowContext.prototype.pushScope = function (isLoop) {
     var scope = {
-      labels: {},
+      labels: Object.create ? Object.create(null) : {},
       locals: [],
       deferredGotos: [],
       isLoop: !!isLoop