GHSA-pr59-h9ph-3fr8

## Summary

A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from `.proto` files is not affected.

This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.

## Impact

An attacker who can provide or influence pre-parsed JSON descriptors passed to `pbjs` static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.

The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.

## Preconditions

* The application or build process must run `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker. * The generated JavaScript file must subsequently be executed or imported. * An affected generated API path must be invoked.

## Workarounds

Do not run affected versions of `pbjs` static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid `.proto` file. Running code generation in an isolated environment can reduce impact.