protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

An attacker who can supply a crafted JSON descriptor to `pbjs` static code generation can inject arbitrary JavaScript into the generated output. The root name (via the `--root` option) or type names containing dots, special characters, or JavaScript prototype property names like `__proto__` or `constructor` could be used to inject code. The injected code executes when the generated file is imported or executed and an affected API path is invoked. This bypasses the previous fix (GHSA-6r35-46g8-jcw9 / CVE-2026-44295) because the earlier fix did not address all code paths where unsafe names were concatenated into generated JavaScript.

The vulnerability resides in `cli/targets/static.js` and `cli/targets/json-module.js` where the `rootProp` variable was constructed using `util.safeProp()` (which could produce unsafe dot-notation references) instead of bracket notation with `JSON.stringify()`. Additionally, `buildFunction()` in `cli/targets/static.js` concatenated `type.fullName` directly into generated code without escaping, and `cli/util.js` did not sanitize the `lint` option for comment terminators. The patch also adds duplicate-name detection in `buildNamespace()` and changes `src/roots.js` to use `Object.create(null)` to avoid prototype pollution.

The patches replace `util.safeProp()` with bracket notation using `JSON.stringify()` for root property access, preventing unsafe dot-notation references. A new `objectPath()` helper and `rootMemberRef()` function are introduced to build AST member expressions from escaped path segments rather than concatenating `type.fullName` directly. The `lint` option in `cli/util.js` is now sanitized by escaping `*/` sequences to prevent comment injection. Duplicate generated name detection is added in `buildNamespace()` to reject ambiguous names. `src/roots.js` is changed to `Object.create(null)` to avoid prototype pollution from dictionary root names.