chore(pre-commit): add check-lock-file script

[Alex-huxiyang]

描述

在预提交阶段添加了一个脚本来检查 pnpm-lock.yaml 文件的一致性和完整性。这个脚本将在每次提交代码之前运行，确保所有依赖项的版本都被正确锁定，并且没有未提交的更改。

动机

为了确保项目依赖的稳定性和可重现性，我们需要在每次提交之前验证锁文件的正确性。这有助于避免因依赖项版本不一致而导致的构建问题或运行时错误。

更改内容

• 在 package.json 文件的 scripts 部分添加了一个新的脚本 check-lock-file。
• 在 .husky/pre-commit 文件中添加了一个钩子，用于在提交代码之前运行 check-lock-file 脚本。

Summary by CodeRabbit

• 新功能

  • 在提交前添加了锁定文件完整性检查脚本
  • 确保仅使用官方 npm 注册表的包解析路径

• 安全性

  • 增加了对包依赖解析路径的验证机制
  • 防止使用非官方的包下载地址

[coderabbitai]

变更概览

演练

该拉取请求引入了一个新的预提交钩子脚本 check-lock.js，用于验证 pnpm-lock.yaml 文件的完整性。脚本会检查包解析路径，确保所有依赖包仅从官方 npm 注册表下载。如果检测到非官方注册表的包路径，脚本将阻止提交并输出错误信息。

变更

文件	变更描述
.husky/pre-commit	在现有的 npx lint-staged 命令前添加 ./scripts/check-lock.js 脚本执行
scripts/check-lock.js	新增脚本，用于检查 pnpm-lock.yaml 中的包解析路径是否正确

可能相关的 PR

• chore: update to support taro e2e test #2856：涉及 CI 配置修改，与本 PR 修改预提交钩子流程类似

建议标签

3.x

建议审阅者

• oasis-cloud

诗歌

🐰 锁文件守护者，代码之哨兵
检查每一路径，确保依赖正确行
npm 注册表，安全无忧
提交前一扫，质量有保障
兔子在代码中，默默守护 🛡️

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.02%. Comparing base (c53503a) to head (996257c).
Report is 3 commits behind head on next.

Additional details and impacted files

@@           Coverage Diff           @@
##             next    #2916   +/-   ##
=======================================
  Coverage   84.02%   84.02%           
=======================================
  Files         220      220           
  Lines       17917    17917           
  Branches     2628     2628           
=======================================
  Hits        15055    15055           
  Misses       2857     2857           
  Partials        5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

scripts/check-lock.js (1)

6-10: 检测并提示错误注册表路径的实现值得肯定

1. 正则表达式匹配非常清晰，针对 tarball URL 做了排除 registry.npmjs.org 的逻辑，可有效帮助团队发现潜在包来源问题。
2. 抛出 Error 并终止提交流程，保证了研发过程的合规性。
3. 若要增强可读性，可考虑在报错信息中提供更多指导信息，例如在出现错误时提示可能需要清理本地 npm 缓存或更新锁文件等。

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between be5dec0 and 996257c.

📒 Files selected for processing (2)

• .husky/pre-commit (1 hunks)
• scripts/check-lock.js (1 hunks)

🔇 Additional comments (2)

.husky/pre-commit (1)

2-2: 在提交前进行锁文件检查的改动看起来不错

此变更在现有流程中插入了一步锁文件验证脚本，有助于确保依赖项来源的正确性。值得注意的是，如果后续添加其他验证逻辑，也可以在此脚本内统一进行处理，增强可维护性。

scripts/check-lock.js (1)

1-3: 文件与模块导入组织合理

使用 fs 和 path 两个 Node.js 核心模块读取并定位锁文件的方式较为直接，也避免了额外依赖的引入，保持了脚本的轻量级特性。