build: 添加postinstall脚本以收集使用统计信息

[kaxium]

🤔 这个变动的性质是？

• 新特性提交
• 日常 bug 修复
• 站点、文档改进
• 演示代码改进
• 组件样式/交互改进
• TypeScript 定义更新
• 包体积优化
• 性能优化
• 功能增强
• 国际化改进
• 重构
• 代码风格优化
• 测试用例
• 分支合并
• [✅ ] 其他改动（添加统计）

🔗 相关 Issue

💡 需求背景和解决方案

统计组件安装数据，内网生效

☑️ 请求合并前的自查清单

⚠️ 请自检并全部勾选全部选项。⚠️

• [✅ ] 文档已补充或无须补充
• [ ✅ ] 代码演示已提供或无须提供
• [ ✅ ] TypeScript 定义已补充或无须补充
• [ ✅ ] fork仓库代码是否为最新避免文件冲突
• [ ✅ ] Files changed 没有 package.json lock 等无关文件

Summary by CodeRabbit

发行说明

• 杂务
  • 优化了发布包生成过程，在安装期间添加自动执行钩子。
  • 更新了包文件清单以包含新的安装后处理脚本。
  • 集成了可选工具依赖。

[coderabbitai]

概述

在发布包生成过程中，添加了 postinstall 生命周期钩子。该钩子在安装时执行 npm-usage-stats-tool，同时更新了构建脚本以将相关文件复制到发布目录，并向 package.json 注入必需的依赖声明。

变更

内聚类 / 文件	摘要
构建脚本更新 scripts/build-taro.mjs, scripts/build.mjs	在生成的 package.json 中添加 postinstall 脚本钩子和 optionalDependencies，扩展 files 列表以包含 postinstall.js，并在发布过程中复制该脚本文件。
Postinstall 脚本实现 scripts/postinstall.js	新增脚本，在安装时禁用并执行 npm-usage-stats 工具，错误被静默处理。

审查工作量估计

🎯 2 (简单) | ⏱️ ~10 分钟

建议审查者

• irisSong

诗歌

🐰 小兔蹦蹦跳，postinstall 来报到，
构建脚本改一改，统计工具装起来，
安装完成欢呼喜，npm 生态更完美！

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR标题准确描述了主要变动：在构建流程中添加postinstall脚本以收集使用统计信息，简洁明了。
Description check	✅ Passed	PR描述已填写了变动性质、需求背景和解决方案，并完成了自检清单的勾选，基本满足模板要求。
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Warning

⚠️ This pull request might be slop. It has been flagged by CodeRabbit slop detection and should be reviewed carefully.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

scripts/build-taro.mjs (1)

531-531: copy postinstall.js 与 build.mjs 第 415 行逻辑一致

建议在抽取公共 release 打包逻辑时把这一行也一起下沉。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/build-taro.mjs` at line 531, The copy of postinstall.js is duplicated
in build-taro.mjs (the await copy(join(__dirname, '../scripts/postinstall.js'),
join(`${npmPublishDir}/postinstall.js`)) line) and should be folded into the
shared release packaging logic used by build.mjs; refactor by removing this
standalone copy from build-taro.mjs and invoking the existing common function or
moving the copy call into the centralized release packager (reuse the same
implementation that handles postinstall.js in build.mjs) so the operation uses
the shared helper and npmPublishDir variable rather than duplicating the logic.

scripts/build.mjs (1)

383-420: build.mjs 与 build-taro.mjs 的 release 包生成逻辑几乎重复，建议抽取公用函数

generateReleasePackageJson 和 copyReleaseFiles 这两段，除了 name、删除的 icons 依赖、dist 路径之外，与 scripts/build-taro.mjs 里的对应实现完全一致，本次新增的 postinstall 脚本/files/optionalDependencies/copy postinstall.js 四处改动也被同步复制到了两个文件里。未来任何一处变更（例如后面要再加 opt‑out 文档、改遥测工具版本）都会再次面临"改一处漏一处"的风险。

可考虑抽到 scripts/build-release-shared.mjs 之类的公共模块，两个入口只传入不同的参数（name、dist、removeDep）。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/build.mjs` around lines 383 - 420, The two duplicated functions
generateReleasePackageJson and copyReleaseFiles should be extracted into a
shared module (e.g., scripts/build-release-shared.mjs) that exports a single
parameterized helper (e.g., buildRelease({ name, dist, removeDep })) or two
smaller functions (generateReleasePackageJson and copyReleaseFiles) which accept
parameters for name, dist path and dependency-to-remove; move the common logic
(postinstall, files array, optionalDependencies, copying
README/CHANGELOG/postinstall.js and lottie animation) into that shared module,
implement removal of the specified dependency inside generateReleasePackageJson
using the passed removeDep symbol, and update build.mjs and build-taro.mjs to
import and call the shared helper with their respective name/dist/removeDep
values (ensuring package.json write path still uses the provided dist), so
future changes live in one place.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/build.mjs`:
- Around line 407-409: Replace the optionalDependencies entry that pins
'@jmfe/npm-usage-stats-tool' to 'latest' with a stable semver range or exact
version (e.g., '^1.0.0' or '1.2.3') in both places where it's defined (the
optionalDependencies object in scripts/build.mjs and the matching entry in
scripts/build-taro.mjs); also add or update the README to note this package is
an internal-only dependency hosted on a private registry so external users may
see 404/auth errors.

---

Nitpick comments:
In `@scripts/build-taro.mjs`:
- Line 531: The copy of postinstall.js is duplicated in build-taro.mjs (the
await copy(join(__dirname, '../scripts/postinstall.js'),
join(`${npmPublishDir}/postinstall.js`)) line) and should be folded into the
shared release packaging logic used by build.mjs; refactor by removing this
standalone copy from build-taro.mjs and invoking the existing common function or
moving the copy call into the centralized release packager (reuse the same
implementation that handles postinstall.js in build.mjs) so the operation uses
the shared helper and npmPublishDir variable rather than duplicating the logic.

In `@scripts/build.mjs`:
- Around line 383-420: The two duplicated functions generateReleasePackageJson
and copyReleaseFiles should be extracted into a shared module (e.g.,
scripts/build-release-shared.mjs) that exports a single parameterized helper
(e.g., buildRelease({ name, dist, removeDep })) or two smaller functions
(generateReleasePackageJson and copyReleaseFiles) which accept parameters for
name, dist path and dependency-to-remove; move the common logic (postinstall,
files array, optionalDependencies, copying README/CHANGELOG/postinstall.js and
lottie animation) into that shared module, implement removal of the specified
dependency inside generateReleasePackageJson using the passed removeDep symbol,
and update build.mjs and build-taro.mjs to import and call the shared helper
with their respective name/dist/removeDep values (ensuring package.json write
path still uses the provided dist), so future changes live in one place.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 529d36fe-f1cb-4e26-918d-df2d84f65ca3

📥 Commits

Reviewing files that changed from the base of the PR and between e409673 and 5e1b11b.

📒 Files selected for processing (3)

• scripts/build-taro.mjs
• scripts/build.mjs
• scripts/postinstall.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the scripts/build.mjs file around lines 407-409
cd . && wc -l scripts/build.mjs

Repository: jdf2e/nutui-react

Length of output: 83

---

🏁 Script executed:

# Check the build.mjs file around the mentioned lines
head -420 scripts/build.mjs | tail -30

Repository: jdf2e/nutui-react

Length of output: 1528

---

🏁 Script executed:

# Check scripts/build-taro.mjs for lines 523-525
wc -l scripts/build-taro.mjs

Repository: jdf2e/nutui-react

Length of output: 88

---

🏁 Script executed:

# Check build-taro.mjs around lines 523-525
if [ -f scripts/build-taro.mjs ]; then
  sed -n '515,535p' scripts/build-taro.mjs
fi

Repository: jdf2e/nutui-react

Length of output: 1093

---

🏁 Script executed:

# Check if there's a package.json with information about dependencies
cat package.json | grep -A 50 "optionalDependencies" | head -20

Repository: jdf2e/nutui-react

Length of output: 43

---

🌐 Web query:

@jmfe/npm-usage-stats-tool npm registry public

💡 Result:

No evidence found of a package named "@jmfe/npm-usage-stats-tool" on the public npm registry. Extensive searches across npm registry pages, general web, GitHub, and people/LinkedIn profiles returned no matching results. Similar packages exist for npm usage/download stats (e.g., @mcptoolshop/registry-stats, npm-statistic), and the @jmfe scope has other packages like @jmfe/jm-jdshare, but not this specific one. It may be private, internal, unpublished, or a misspelling.

Citations:

• 1: https://npm-stat.com/
• 2: https://www.npmjs.com/package/usage-stats
• 3: https://registry.npmjs.org/%40mcptoolshop%2Fregistry-stats
• 4: https://registry.npmjs.org/npm-statistic
• 5: https://npmtrends.com/
• 6: https://registry.npmjs.org/@jsfe/form
• 7: https://registry.npmjs.org/jmf-subscription
• 8: https://registry.npmjs.org/%40jsfe%2Fmaterial
• 9: https://registry.npmjs.org/jmd-scripts
• 10: https://npm.io/package/@jmfe/jm-jdshare

---

optionalDependencies 不要使用 latest，请改为固定版本或 caret 范围

已确认 @jmfe/npm-usage-stats-tool 在 npm 公开注册表中不存在，这意味着：

1. 不可复现：每次用户安装都会拉取当时的最新版本，下游行为可能突然变化，导致线上问题难以复现
2. 供应链风险：latest tag 可被仓库 owner 随时移动，一旦被劫持或发布恶意版本，所有下游安装都会执行新版本代码
3. 外部用户体验差：由于该包仅存在于内部 registry，外网用户安装时会看到 404/认证失败的噪音日志

需要改为明确的语义化版本（例如 '^1.0.0' 或 '1.2.3'），并在 README 中说明这是内部依赖。两处都需要修改：

• scripts/build.mjs 第 407-409 行
• scripts/build-taro.mjs 中的相同位置

♻️ 改法示例

     optionalDependencies: {
-      '@jmfe/npm-usage-stats-tool': 'latest'
+      '@jmfe/npm-usage-stats-tool': '^1.0.0'
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/build.mjs` around lines 407 - 409, Replace the optionalDependencies
entry that pins '@jmfe/npm-usage-stats-tool' to 'latest' with a stable semver
range or exact version (e.g., '^1.0.0' or '1.2.3') in both places where it's
defined (the optionalDependencies object in scripts/build.mjs and the matching
entry in scripts/build-taro.mjs); also add or update the README to note this
package is an internal-only dependency hosted on a private registry so external
users may see 404/auth errors.