fix: allow webpack-dev-server v6#1102
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✅ Files skipped from review due to trivial changes (4)
🚧 Files skipped from review as they are similar to previous changes (2)
WalkthroughThis PR expands the configured and documented Changeswebpack-dev-server v6 Support
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR widens the
Confidence Score: 4/5Safe to merge — the change is a one-line peer dependency range widening applied consistently across all three relevant files, with no runtime code touched. The dependency range update is correct and consistent. The only gap is a missing CHANGELOG entry that the project's own conventions require for user-visible fixes like this one. CHANGELOG.md should receive an entry under the Unreleased section before merging. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Shakapacker 10.x] --> B{webpack-dev-server version?}
B -->|v5.2.2 and above| C[Supported before this PR]
B -->|v6.0.0 and above| D[Newly supported by this PR]
B -->|v4.x or older| E[Not supported]
C --> F[peerDependencies range updated]
D --> F
Reviews (1): Last reviewed commit: "fix: allow `webpack-dev-server` v6" | Re-trigger Greptile |
|
@G-Rath I asked copilot about the failing CI: The failure is happening during the generator install step itself, not in the assertions afterward. The common failing point is the shell command launched from
That command is executed through Most likely root causeThe failures line up with the PR’s new Babel-related expectations:
Because 63 examples fail across npm/pnpm/bun/TypeScript/auto-detect cases, this strongly suggests the installer now writes or validates package/config state inconsistently and aborts early for all variants. Focused solutionFix the installer so transpiler selection is centralized and consistent: 1. Compute transpiler mode onceIn the install code, derive one value from env/options: transpiler =
if ENV["JAVASCRIPT_TRANSPILER"] == "babel"
"babel"
elsif Shakapacker::Utils::Misc.object_to_boolean(ENV["USE_BABEL_PACKAGES"])
"babel"
else
"swc"
endUse that same value everywhere:
2. Separate “runtime transpiler” from “installed compatibility packages”Based on the spec:
That means the dependency logic should look more like: use_babel_packages = Shakapacker::Utils::Misc.object_to_boolean(ENV["USE_BABEL_PACKAGES"])
babel_only = ENV["JAVASCRIPT_TRANSPILER"] == "babel"
dependencies = base_dependencies.dup
dependencies.merge!(babel_dependencies) if use_babel_packages || babel_only
dependencies.merge!(swc_dependencies) unless babel_only3. Update
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 123: The peerDependencies entry for "webpack-dev-server" lists a
non-existent v6 range ("^5.2.2 || ^6.0.0"); update the package.json
peerDependencies so the "webpack-dev-server" range only includes valid released
versions (remove the "|| ^6.0.0" portion), e.g., change the value to "^5.2.2"
(or to a single valid v5 range such as "^5.2.2" or a bumped v5 like "^5.2.4" if
you want to target the latest patch).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cacd7101-6b82-4290-8708-0801cc39152a
📒 Files selected for processing (3)
docs/peer-dependencies.mdlib/install/package.jsonpackage.json
| "webpack-assets-manifest": "^5.0.6 || ^6.0.0", | ||
| "webpack-cli": "^4.9.2 || ^5.0.0 || ^6.0.0 || ^7.0.0", | ||
| "webpack-dev-server": "^5.2.2", | ||
| "webpack-dev-server": "^5.2.2 || ^6.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify webpack-dev-server v6 availability and security status
# Check available versions on npm
echo "=== Checking webpack-dev-server versions on npm ==="
curl -s https://registry.npmjs.org/webpack-dev-server | jq -r '.versions | keys[] | select(startswith("6."))' | head -10
echo -e "\n=== Checking latest version ==="
curl -s https://registry.npmjs.org/webpack-dev-server/latest | jq -r '.version'
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 5, ecosystem: NPM, package: "webpack-dev-server") {
nodes {
advisory {
ghsaId
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: shakacode/shakapacker
Length of output: 1097
🌐 Web query:
webpack-dev-server v6 migration guide breaking changes
💡 Result:
As of May 16, 2026, webpack-dev-server has not released a version 6.0.0 [1][2]. The current stable version is in the 5.x series (specifically 5.2.4, released May 11, 2026) [2]. Because no v6 release exists, there is no official migration guide for it. If you are looking to migrate to the latest version, you should refer to the migration guide for v5.0.0 [3][1]. Key breaking changes introduced in the v5.0.0 release include: - Minimum Node.js version: 18.12.0 [3]. - Minimum webpack version: 5.0.0 [3]. - Server configuration: The http2 and https options were removed in favor of a unified server option [3]. - Middleware: onAfterSetupMiddleware and onBeforeSetupMiddleware were replaced by setupMiddlewares [3]. - Proxy: The proxy option now requires an array [3]. - CLI options: --open-app was replaced by --open-app-name, and --web-socket-server was replaced by --web-socket-server-type [3]. - Environment variables: The WEBPACK_SERVE environment variable value changed from a boolean true to the string 'true' [3]. - API changes: The constructor arguments were updated (first argument is options, second is compiler), and the listen method was replaced by async start or startCallback methods [3]. For detailed instructions on upgrading to the current stable version, consult the official migration-v5.md document in the webpack-dev-server GitHub repository [3].
Citations:
- 1: https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md
- 2: https://www.npmjs.com/package/webpack-dev-server
- 3: https://github.com/webpack/webpack-dev-server/blob/main/migration-v5.md
Remove non-existent webpack-dev-server v6 from peer dependency range.
The peer dependency range specifies ^6.0.0, but webpack-dev-server v6 has not been released on npm. The current latest version is 5.2.4. Remove ^6.0.0 from the OR clause so the range reflects only available versions (e.g., ^5.2.2).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 123, The peerDependencies entry for
"webpack-dev-server" lists a non-existent v6 range ("^5.2.2 || ^6.0.0"); update
the package.json peerDependencies so the "webpack-dev-server" range only
includes valid released versions (remove the "|| ^6.0.0" portion), e.g., change
the value to "^5.2.2" (or to a single valid v5 range such as "^5.2.2" or a
bumped v5 like "^5.2.4" if you want to target the latest patch).
|
@justin808 I expect the failures are because CI attempts to install the latest package version possible for peer dependencies, and
If you want to land this now, then probably easiest solution would be to have CI special case |
|
@claude please review this PR. Focus on:
Please post your review as a PR comment, and use inline comments for specific code issues. |
|
@claude please review the latest commit on this PR. Focus on:
Post your review as a PR comment, and use inline comments for specific code issues. |
|
Claude finished @justin808's task in 1m 23s —— View job PR Review: fix: allow
|
| File | Change |
|---|---|
package.json:123 |
`"webpack-dev-server": "^5.2.2 |
lib/install/package.json |
`"webpack-dev-server": "^5.2.2 |
docs/peer-dependencies.md |
Documentation matches code |
The three-file update is exactly correct — all three need to stay in sync and they do. The range follows the same ||-separated pattern used by other packages in the same files (e.g., webpack-cli, webpack-assets-manifest).
Issues Found
Missing CHANGELOG entry ⚠️
The PR checklist item "Update CHANGELOG file" is unchecked. Per the project's conventions, widening a peer dependency range is a user-visible fix that warrants an entry. The existing [Unreleased] section in CHANGELOG.md already has a ### Fixed subsection — this entry should be added there:
- **Widened `webpack-dev-server` peer dependency range to support v6 (`^5.2.2 || ^6.0.0`)**. [PR #1102](https://github.com/shakacode/shakapacker/pull/1102) by [G-Rath](https://github.com/G-Rath). Allows upgrading to `webpack-dev-server` v6, which addresses [GHSA-w5hq-g745-h8pq](https://github.com/advisories/GHSA-w5hq-g745-h8pq).CI Failures — Not a code problem ✅
The generator spec failures reported in the CI run are not caused by this PR's code changes. As G-Rath correctly identified, the failures occur because the CI tooling tries to resolve the highest matching version of webpack-dev-server (v6), which may not have been available at the time of the run. Once webpack-dev-server v6.0.0 is published (which it should be by now given the April 28 estimate of "next week or so"), CI should pass cleanly.
The copilot analysis in the thread about generator install failures and transpiler logic is a red herring — those are unrelated to this PR's changes.
If CI is still failing due to this, the simplest workaround would be to pin webpack-dev-server to ^5.2.2 in the CI test matrix while keeping the peer dependency range wide.
Security ✅
The motivating security issue is GHSA-w5hq-g745-h8pq, a vulnerability in webpack-dev-server addressed in v6. Widening the peer range to allow v6 is the right approach — it gives users the choice to upgrade without requiring a Shakapacker release. There are no security concerns introduced by this PR.
Verdict
Approve after adding the CHANGELOG entry. The code change itself is correct, minimal, and consistent. Only the missing CHANGELOG entry needs to be addressed before merging.
|
I’m not merging this yet because the current branch is not merge-ready. The main blocker is that That also matches the current CI failure mode: the generator specs try to install Other cleanup needed before this is mergeable:
The practical paths are either to wait until upstream actually publishes |
503e7aa to
a31ecef
Compare
|
@justin808 |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a31ecefb7c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "webpack-assets-manifest": "^5.0.6 || ^6.0.0", | ||
| "webpack-cli": "^4.9.2 || ^5.0.0 || ^6.0.0 || ^7.0.0", | ||
| "webpack-dev-server": "^5.2.2", | ||
| "webpack-dev-server": "^5.2.2 || ^6.0.0", |
There was a problem hiding this comment.
Keep installer default on a published dev-server version
For new webpack installs, lib/install/template.rb reads this file, splits ranges on ||, and installs constraints.last, so this change makes shakapacker:install try to add webpack-dev-server@^6.0.0 by default. As of July 3, 2026, upstream webpack-dev-server releases still show v5.2.6 as latest, so the generated install command will fail to resolve until v6 is actually published; keep the install manifest on a published range or special-case the default the same way webpack-cli is handled.
Useful? React with 👍 / 👎.
a31ecef to
2d759aa
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2d759aa79b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "webpack-assets-manifest": "^5.0.6 || ^6.0.0", | ||
| "webpack-cli": "^4.9.2 || ^5.0.0 || ^6.0.0 || ^7.0.0", | ||
| "webpack-dev-server": "^5.2.2", | ||
| "webpack-dev-server": "^5.2.2 || ^6.0.0", |
There was a problem hiding this comment.
Keep webpack installs on a Node-compatible dev server
When the selected bundler is webpack, lib/install/template.rb splits each range on || and installs constraints.last for every peer except webpack-cli, so this line now makes shakapacker:install request webpack-dev-server@^6.0.0. Fresh evidence since the earlier thread: the current webpack-dev-server v6 package declares engines.node >=22.15.0, while Shakapacker still supports ^20.19.0 || >=22.12.0 in package.json, so supported Node 20 and 22.12–22.14 webpack apps can fail install with engine checks (or hit an unsupported runtime). Please keep the installer default on the v5 range or gate selecting v6 by Node version.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
it should be fine to assume new installs are using the latest version of Node, rather than the min.
Updated peer dependency version range for webpack-dev-server.
c8911d6 to
1674e12
Compare
## Summary - Stamps `## [v10.2.1] - July 5, 2026` immediately after `## [Unreleased]`, moving the existing unreleased entries (webpack-dev-server v6 support, SWC/Babel fallback fixes, production-env config fallback, and helper binstub PATH fix) into the new version section. - Adds the `[v10.2.1]` compare link and updates `[Unreleased]` to compare from `v10.2.1...main`. No new entries were needed: a classification sweep of `v10.2.0..origin/main` found only #1102, #1206, #1200, and #1201 as user-visible (all already present in Unreleased), plus #1202 (CI-only) and #1208 (docs-only) which are correctly excluded. ## Test plan - [x] Verified CHANGELOG.md diff manually - [x] Confirmed file ends with a trailing newline <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated the changelog with a new **v10.2.1** release entry dated July 5, 2026. * Refreshed version comparison links so the latest release is now shown against the main branch, with a new link for comparing **v10.2.0** to **v10.2.1**. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com>


Summary
This version will be released in the next week or so, and importantly enables addressing GHSA-w5hq-g745-h8pq
The migration docs are here - I don't think any of the breaking changes require any changes to Shakapacker
Pull Request checklist
Other Information
Summary by CodeRabbit
webpack-dev-serverv6 (in addition to v5).webpack-dev-serverversion ranges across package and install configuration to support either v5 or v6.webpack-dev-serverv6.