Skip to content

Bump react_on_rails from 15.0.0 to 16.1.1 #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump react_on_rails from 15.0.0 to 16.1.1 #4

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Sep 25, 2025

Bumps react_on_rails from 15.0.0 to 16.1.1.

Changelog

Sourced from react_on_rails's changelog.

[16.1.1] - 2025-09-24

Bug Fixes

  • React Server Components: Fixed bug in resolving react-server-client-manifest.json file path. The manifest file path is now correctly resolved using bundle_js_file_path for improved configuration flexibility and consistency in bundle management. PR 1818 by AbanoubGhadban

[16.1.0] - 2025-09-23

New Features

  • Server Bundle Security: Added new configuration options for enhanced server bundle security and organization:

    • server_bundle_output_path: Configurable directory (relative to the Rails root) for server bundle output (default: "ssr-generated"). If set to nil, the server bundle will be loaded from the same public directory as client bundles. PR 1798 by justin808
    • enforce_private_server_bundles: When enabled, ensures server bundles are only loaded from private directories outside the public folder (default: false for backward compatibility) PR 1798 by justin808

  • Improved Bundle Path Resolution: Bundle path resolution for server bundles now works as follows:

    • If server_bundle_output_path is set, the server bundle is loaded from that directory.
    • If server_bundle_output_path is not set, the server bundle falls back to the client bundle directory (typically the public output path).
    • If enforce_private_server_bundles is enabled:
      • The server bundle will only be loaded from the private directory specified by server_bundle_output_path.
      • If the bundle is not found there, it will not fall back to the public directory.
    • If enforce_private_server_bundles is not enabled and the bundle is not found in the private directory, it will fall back to the public directory.
    • This logic ensures that, when strict enforcement is enabled, server bundles are never loaded from public directories, improving security and clarity of bundle resolution. PR 1798 by justin808

  • react_on_rails:doctor rake task: New diagnostic command to validate React on Rails setup and identify configuration issues. Provides comprehensive checks for environment prerequisites, dependencies, Rails integration, and Webpack configuration. Use rake react_on_rails:doctor to diagnose your setup, with optional VERBOSE=true for detailed output. PR 1791 by AbanoubGhadban

Deprecations

  • Deprecated generated_assets_dirs configuration: The legacy config.generated_assets_dirs option is now deprecated and will show a deprecation warning if used. Since Shakapacker is now required, asset paths are automatically determined from shakapacker.yml configuration. Remove any config.generated_assets_dirs from your config/initializers/react_on_rails.rb file. Use public_output_path in config/shakapacker.yml to customize asset output location instead. PR 1798 by justin808

API Improvements

  • Method Naming Clarification: Added public_bundles_full_path method to clarify bundle path handling:
    • public_bundles_full_path: New method specifically for webpack bundles in public directories
    • generated_assets_full_path: Now deprecated (backwards-compatible alias)
    • This eliminates confusion between webpack bundles and general Rails public assets PR 1798 by justin808

Security Enhancements

  • Private Server Bundle Enforcement: When enforce_private_server_bundles is enabled, server bundles bypass public directory fallbacks and are only loaded from designated private locations PR 1798 by justin808
  • Path Validation: Added validation to ensure server_bundle_output_path points to private directories when enforcement is enabled PR 1798 by justin808
  • Fixed command injection vulnerabilities: Replaced unsafe string interpolation in generator package installation commands with secure array-based system calls PR 1786 by justin808
  • Improved input validation: Enhanced package manager validation and argument sanitization across all generators PR 1786 by justin808
  • Hardened DOM selectors: Using CSS.escape() and proper JavaScript escaping for XSS protection PR 1791 by AbanoubGhadban

Pro License Features

  • Core/Pro separation: Moved Pro features into dedicated lib/react_on_rails/pro/ and node_package/src/pro/ directories with clear licensing boundaries PR 1791 by AbanoubGhadban
  • Runtime license validation: Implemented Pro license gating with graceful fallback to core functionality when Pro license unavailable PR 1791 by AbanoubGhadban

... (truncated)

Commits
  • 2682cf8 Release 16.1.1
  • 0671d67 Update CHANGELOG.md with user-facing changes only (#1820)
  • fb026d5 Enhance contribution guidelines and add licensing FAQ for monorepo tr… (#1819)
  • 199071c Fix bug at resolving react-server-client-manifest.json file (#1818)
  • 1204d15 Add monorepo merger plan documentation for React on Rails (#1817)
  • 6fdfc08 Improve server bundle security test coverage and fix misleading comments (#1815)
  • 3c6e749 Update changelog links for version 16.1.0
  • 5ed6b35 Update Gemfile.lock after auto-formatting
  • 0ae446c Fix release script: Only commit Gemfile.lock if there are staged changes
  • 09e7f68 Release 16.1.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump react_on_rails from 15.0.0 to 16.1.1
afd6f76 
Bumps [react_on_rails](https://github.com/shakacode/react_on_rails) from 15.0.0 to 16.1.1.
- [Changelog](https://github.com/shakacode/react_on_rails/blob/master/CHANGELOG.md)
- [Commits](shakacode/react_on_rails@15.0.0...16.1.1)

---
updated-dependencies:
- dependency-name: react_on_rails
  dependency-version: 16.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Sep 25, 2025
@dependabot dependabot bot mentioned this pull request Sep 25, 2025
Closed
@coderabbitai
Copy link

coderabbitai bot commented Sep 25, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants