Potential fix for code scanning alert no. 1: Prototype-polluting assignment

[adhityan]

Potential fix for https://github.com/llm-tools/embedJs/security/code-scanning/1

To prevent prototype pollution, we need to ensure that the key parameter cannot be a special property like __proto__, constructor, or prototype. This can be achieved by validating the key parameter before using it to access or modify the loaderCustomValues object. Alternatively, we can replace the plain object loaderCustomValues with a prototype-less object created using Object.create(null).

The best approach here is to use a prototype-less object for loaderCustomValues, as it inherently prevents prototype pollution without requiring additional validation logic. This change will involve:

1. Modifying the initialization of loaderCustomValues in the init method to use Object.create(null).
2. Ensuring that all operations on loaderCustomValues remain compatible with a prototype-less object.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

---

[!NOTE] Use a prototype-less object for loaderCustomValues and validate disallowed keys in loaderCustomGet to prevent prototype pollution.

• Security/Store:
  • Initialize loaderCustomValues with Object.create(null) in core/embedjs/src/store/memory-store.ts.
  • Add key validation in loaderCustomGet to reject __proto__, constructor, and prototype.

^{Written by Cursor Bugbot for commit 173573ee3ab0b51c7ad9508463fa8f946610f4d4. This will update automatically on new commits. Configure here.}

[nx-cloud[bot]]

View your CI Pipeline Execution ↗ for commit 173573ee3ab0b51c7ad9508463fa8f946610f4d4

Command	Status	Duration	Result
nx run-many --t=build	✅ Succeeded	14s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-11-14 21:40:23 UTC

[sonarqubecloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud