chore(lefthook): add lockfile integrity and dependency change checks #277
Conversation
- Add lockfile-sync-check: verify package.json/pnpm-workspace.yaml changes are reflected in pnpm-lock.yaml using --frozen-lockfile - Add lint-all-on-lockfile-change: run full lint when lockfile changes - Add test-all-on-lockfile-change: run full test suite when lockfile changes These checks ensure dependency changes are properly validated before push.
Use **/package.json glob pattern to catch changes in workspace packages.
commit: |
There was a problem hiding this comment.
Pull request overview
This PR adds three pre-push Git hooks to validate dependency changes and ensure the lockfile stays synchronized with package manifests. The checks aim to prevent broken builds by running comprehensive tests and linting when dependencies are modified.
- Adds lockfile synchronization verification for package.json and pnpm-workspace.yaml changes
- Triggers full linting when pnpm-lock.yaml is modified
- Triggers full test suite execution when pnpm-lock.yaml is modified
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: pnpm run lint:knip | ||
| - name: lockfile-sync-check | ||
| glob: '{**/package.json,pnpm-workspace.yaml}' | ||
| run: pnpm install --lockfile-only --frozen-lockfile |
There was a problem hiding this comment.
The combination of --lockfile-only and --frozen-lockfile flags is contradictory. The --lockfile-only flag tells pnpm to update the lockfile, while --frozen-lockfile requires that the lockfile must not be modified. This command will fail.
For verifying that package.json/pnpm-workspace.yaml changes are reflected in pnpm-lock.yaml, you should use only --frozen-lockfile (which will fail if the lockfile is out of sync) or consider using pnpm install --frozen-lockfile --dry-run to verify without making changes.
| run: pnpm install --lockfile-only --frozen-lockfile | |
| run: pnpm install --frozen-lockfile --dry-run |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="lefthook.yaml">
<violation number="1" location="lefthook.yaml:24">
P2: Glob pattern should include workspace `package.json` files. In this monorepo, changes to `examples/package.json` won't trigger this lockfile sync check. Consider using `'{**/package.json,pnpm-workspace.yaml}'` to catch all package manifest changes.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
lefthook.yaml
Outdated
| - name: knip | ||
| run: pnpm run lint:knip | ||
| - name: lockfile-sync-check | ||
| glob: '{package.json,pnpm-workspace.yaml}' |
There was a problem hiding this comment.
P2: Glob pattern should include workspace package.json files. In this monorepo, changes to examples/package.json won't trigger this lockfile sync check. Consider using '{**/package.json,pnpm-workspace.yaml}' to catch all package manifest changes.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At lefthook.yaml, line 24:
<comment>Glob pattern should include workspace `package.json` files. In this monorepo, changes to `examples/package.json` won't trigger this lockfile sync check. Consider using `'{**/package.json,pnpm-workspace.yaml}'` to catch all package manifest changes.</comment>
<file context>
@@ -20,3 +20,12 @@ pre-push:
- name: knip
run: pnpm run lint:knip
+ - name: lockfile-sync-check
+ glob: '{package.json,pnpm-workspace.yaml}'
+ run: pnpm install --lockfile-only --frozen-lockfile
+ - name: lint-all-on-lockfile-change
</file context>
| glob: '{package.json,pnpm-workspace.yaml}' | |
| glob: '{**/package.json,pnpm-workspace.yaml}' |
Summary
Add pre-push checks to ensure dependency changes are properly validated:
package.json/pnpm-workspace.yamlchanges are reflected inpnpm-lock.yamlWhy
Ensures that dependency changes don't break the build and that lockfile stays in sync with package manifests.
Summary by cubic
Add pre-push lefthook checks to keep the pnpm lockfile in sync and validate dependency changes. This blocks pushes when manifests and the lockfile diverge, and runs full lint/tests on lockfile changes.
Written for commit d65855f. Summary will update on new commits.