fix(store): use Object.create(null) for plain lookup maps to prevent prototype pollution

[arturovt]

Objects used as string-keyed dictionaries (state names, action types, status strings) were initialized with {}, inheriting Object.prototype. A key matching an inherited property (e.g. constructor, hasOwnProperty) would return a truthy prototype value instead of undefined, causing silent mismatch in lookups.

Replaced all such maps with Object.create(null) in:

• ɵensureStoreMetadata — actions map keyed by action type
• StateFactory._statesByName / _statePaths
• buildGraph, nameToState, findFullParentPath, topologicalSort in internals.ts
• createAllowedActionTypesMap / createAllowedStatusesMap in of-action.ts

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 545462c

Command	Status	Duration	Result
nx run-many --target=test --all --configuration...	✅ Succeeded	1m 14s	View ↗
nx lint-types store	✅ Succeeded	<1s	View ↗
nx run-many --target=lint --all --configuration...	✅ Succeeded	7s	View ↗
nx run-many --target=build --all	✅ Succeeded	1m	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-02 19:35:43 UTC

[pkg-pr-new]

Open in StackBlitz

@ngxs/devtools-plugin

npm i https://pkg.pr.new/@ngxs/devtools-plugin@2446

@ngxs/form-plugin

npm i https://pkg.pr.new/@ngxs/form-plugin@2446

@ngxs/hmr-plugin

npm i https://pkg.pr.new/@ngxs/hmr-plugin@2446

@ngxs/router-plugin

npm i https://pkg.pr.new/@ngxs/router-plugin@2446

@ngxs/storage-plugin

npm i https://pkg.pr.new/@ngxs/storage-plugin@2446

@ngxs/store

npm i https://pkg.pr.new/@ngxs/store@2446

@ngxs/websocket-plugin

npm i https://pkg.pr.new/@ngxs/websocket-plugin@2446

commit: 545462c

[bundlemon]

BundleMon

Files updated (2)

Status	Path	Size	Limits
❌	fesm2022/ngxs-store.mjs	116.47KB (+136B +0.11%)	114KB / +0.5%
✅	fesm2022/ngxs-store-internals.mjs	12.71KB (+17B +0.13%)	15KB / +0.5%

Unchanged files (4)

Status	Path	Size	Limits
✅	fesm2022/ngxs-store-operators.mjs	15.7KB	16KB / +0.5%
✅	fesm2022/ngxs-store-internals-testing.mjs	10.32KB	13KB / +0.5%
✅	fesm2022/ngxs-store-plugins.mjs	2.37KB	3KB / +0.5%
✅	fesm2022/ngxs-store-experimental.mjs	574B	2KB / +0.5%

Total files change +153B +0.09%

Groups updated (1)

Status	Path	Size	Limits
✅	@ngxs/store(fesm2022)[gzip] ./fesm2022/*.mjs	39.51KB (+15B +0.04%)	+1%

Final result: ❌

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[bundlemon]

BundleMon (NGXS Plugins)

Unchanged files (9)

Status	Path	Size	Limits
✅	Plugins(fesm2022)[gzip] storage-plugin/fesm2022/ngxs-storage-plugin.m js	4.17KB	+0.5%
✅	Plugins(fesm2022)[gzip] router-plugin/fesm2022/ngxs-router-plugin.mjs	3.43KB	+0.5%
✅	Plugins(fesm2022)[gzip] hmr-plugin/fesm2022/ngxs-hmr-plugin.mjs	2.78KB	+0.5%
✅	Plugins(fesm2022)[gzip] websocket-plugin/fesm2022/ngxs-websocket-plug in.mjs	2.61KB	+0.5%
✅	Plugins(fesm2022)[gzip] form-plugin/fesm2022/ngxs-form-plugin.mjs	2.51KB	+0.5%
✅	Plugins(fesm2022)[gzip] devtools-plugin/fesm2022/ngxs-devtools-plugin .mjs	2.26KB	+0.5%
✅	Plugins(fesm2022)[gzip] logger-plugin/fesm2022/ngxs-logger-plugin.mjs	2.07KB	+0.5%
✅	Plugins(fesm2022)[gzip] storage-plugin/fesm2022/ngxs-storage-plugin-i nternals.mjs	1004B	+0.5%
✅	Plugins(fesm2022)[gzip] router-plugin/fesm2022/ngxs-router-plugin-int ernals.mjs	453B	+0.5%

No change in files bundle size

Unchanged groups (1)

Status	Path	Size	Limits
✅	All Plugins(fesm2022)[gzip] ./-plugin/fesm2022/.mjs	21.25KB	+0.5%

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[bundlemon]

BundleMon (Integration Projects)

Files updated (1)

Status	Path	Size	Limits
✅	Main bundles(Gzip) hello-world-ng21/dist-integration/browser/mai n-(hash).js	67.99KB (+11B +0.02%)	+1%

Total files change +11B +0.02%

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history