Fix: Correct misleading security comment in shakapacker.yml

The comment claimed "The hook command will be validated to ensure it
points to a file within the project root" but no such validation exists
in the codebase. Updated the comment to accurately reflect that users
must ensure the hook path points to a trusted file they control.

This removes the false promise of automatic validation and places the
security responsibility appropriately on the user configuring the hook.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: justin808

lib/generators/react_on_rails/templates/base/base/config/shakapacker.yml

@@ -43,8 +43,8 @@ default: &default
   ensure_consistent_versioning: true
 
   # Hook to run before webpack compilation (e.g., for generating dynamic entry points)
-  # SECURITY: Only reference trusted scripts within your project. The hook command will be
-  # validated to ensure it points to a file within the project root.
+  # SECURITY: Only reference trusted scripts within your project. Ensure the hook path
+  # points to a file within the project root that you control.
   precompile_hook: 'bin/shakapacker-precompile-hook'
 
   # Select whether the compiler will use SHA digest ('digest' option) or most recent modified timestamp ('mtime') to determine freshness

spec/dummy/config/shakapacker.yml

@@ -22,8 +22,8 @@ default: &default
   nested_entries: true
 
   # Hook to run before webpack compilation (e.g., for generating dynamic entry points)
-  # SECURITY: Only reference trusted scripts within your project. The hook command will be
-  # validated to ensure it points to a file within the project root.
+  # SECURITY: Only reference trusted scripts within your project. Ensure the hook path
+  # points to a file within the project root that you control.
   precompile_hook: 'bin/shakapacker-precompile-hook'
 
 development: