react_on_rails 16.7.0.rc.3 → 17.0.0.rc.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a330ac2b76a6a565ea1f64291f54d2ff5a90b39e33bb7c1929f3caa11ed8358e
-  data.tar.gz: 4d06374dfcb3c2004138c3386ed326634b03c91a27e96c4d442b0bcd5a9c39c9
+  metadata.gz: 02f0fa1befbed99b17f624249398f47b5a1395ed5407079a472ad39218d2cfc1
+  data.tar.gz: f8b4e5a3abf309b98f7b244d1a807acb29096ff7ae1ea115e780eefd35f2d609
 SHA512:
-  metadata.gz: 55392f01cd6ccad3792eac088c3f59d354131e159d22bc15dc086b17abc75ca248da294269d3e73ee25cea846af246e0d59ab2b93558ab0cf9bd9558e3ef52bf
-  data.tar.gz: c8fed4f8f74704860bff9a4784906ebcf5bab48cf7a50d9e7240a750d71c4d87dd228c55b3f0bad80edcc0c06565a20f606f8a2f1938ab8b3fa0108c52241bbf
+  metadata.gz: c594211d78c05817226dd5d4ff06e7bb4f377b57320cdb824de7a8902ec40d66473b28da64e0f6d2df5b445786a050d1c6b61779af3fea0c1c4793f3955efa63
+  data.tar.gz: e86d35866011de451f725c441539bc7f8400e83d9702a4a3b9058d385e483a926229b4e33e18685636d73700bc7a9a1106246d78174a726327b47b8b0f1645d9

data/Gemfile.development_dependencies

@@ -2,18 +2,22 @@
 
 eval_gemfile File.expand_path("../Gemfile.shared_dev_dependencies", __dir__)
 
-gem "shakapacker", "9.6.1"
+gem "shakapacker", "10.1.0"
 gem "bootsnap", require: false
 gem "rails", "~> 7.1.0"
 
-gem "sqlite3", "~> 1.6"
+gem "sqlite3", "~> 2.0"
 gem "sass-rails", "~> 6.0"
 gem "uglifier"
 gem "jquery-rails"
 gem "puma", "~> 6.0"
 
 # Turbolinks makes following links in your web application faster. Read more: https://github.com/rails/turbolinks
-gem "turbolinks" if ENV["DISABLE_TURBOLINKS"].nil? || ENV["DISABLE_TURBOLINKS"].strip.empty?
+# Declared unconditionally so the gemset always matches Gemfile.lock. DISABLE_TURBOLINKS
+# toggles Turbolinks at the application layer (the require_asset in
+# spec/dummy/app/assets/javascripts/application_non_webpack.js.erb), not gem inclusion.
+# A conditional declaration broke `bundle install --frozen` in CI (see AGENTS.md).
+gem "turbolinks"
 
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 gem "jbuilder"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    react_on_rails (16.7.0.rc.3)
+    react_on_rails (17.0.0.rc.0)
       addressable
       connection_pool
       execjs (~> 2.5)
@@ -237,7 +237,7 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.1)
     rack (3.2.5)
-    rack-proxy (0.7.7)
+    rack-proxy (0.8.2)
       rack
     rack-session (2.1.1)
       base64 (>= 0.1.0)
@@ -360,7 +360,7 @@ GEM
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
     semantic_range (3.1.1)
-    shakapacker (9.6.1)
+    shakapacker (10.1.0)
       activesupport (>= 5.2)
       package_json
       rack-proxy (>= 0.6.1)
@@ -379,10 +379,10 @@ GEM
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.7.3)
+    sqlite3 (2.9.4)
       mini_portile2 (~> 2.8.0)
-    sqlite3 (1.7.3-arm64-darwin)
-    sqlite3 (1.7.3-x86_64-linux)
+    sqlite3 (2.9.4-arm64-darwin)
+    sqlite3 (2.9.4-x86_64-linux-gnu)
     steep (1.9.4)
       activesupport (>= 5.1)
       concurrent-ruby (>= 1.1.10)
@@ -475,11 +475,11 @@ DEPENDENCIES
   sass-rails (~> 6.0)
   sdoc
   selenium-webdriver (= 4.9.0)
-  shakapacker (= 9.6.1)
+  shakapacker (= 10.1.0)
   simplecov (~> 0.16.1)
   spring (~> 4.0)
   sprockets (~> 4.0)
-  sqlite3 (~> 1.6)
+  sqlite3 (~> 2.0)
   steep
   turbo-rails
   turbolinks

data/lib/generators/react_on_rails/js_dependency_manager.rb

@@ -578,12 +578,19 @@ module ReactOnRails
         end
 
         File.write("package.json", "#{JSON.pretty_generate(content)}\n")
+        GeneratorMessages.add_warning(package_json_pin_fallback_warning(versioned_packages))
         true
       rescue StandardError => e
         GeneratorMessages.add_warning("⚠️  Could not write dependency pins to package.json: #{e.message}")
         false
       end
 
+      def package_json_pin_fallback_warning(versioned_packages)
+        pinned_list = versioned_packages.map { |name, version| "#{name}@#{version}" }.join(", ")
+        "⚠️  Package manager install failed. Wrote the following version pins to package.json " \
+          "so you can rerun your package manager manually: #{pinned_list}"
+      end
+
       def fallback_package_manager
         package_manager = GeneratorMessages.detect_package_manager(app_root: destination_root)
         return package_manager if GeneratorMessages.supported_package_manager?(package_manager)

data/lib/generators/react_on_rails/pro_setup.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "securerandom"
 require_relative "generator_messages"
 require "react_on_rails/node_renderer_procfile"
 require "react_on_rails/pro_migration"
@@ -46,16 +47,58 @@ module ReactOnRails
         say set_color("🚀 REACT ON RAILS PRO SETUP", :cyan, :bold)
         say set_color("=" * 80, :cyan)
 
-        create_pro_initializer
+        # The Rails initializer and Node renderer bootstrap must share the same
+        # password literal. Only mint a fresh random password when BOTH files will
+        # be created — otherwise nil so each template falls back to the env-only
+        # branch, avoiding a literal mismatch with any existing file.
+        # Always reassign so a stale value from a prior invocation on the same
+        # instance can't leak into a later partial-install run.
+        @generated_renderer_password = nil
+        if pro_initializer_will_be_created? && node_renderer_will_be_created?
+          @generated_renderer_password = SecureRandom.hex(32)
+        end
+
+        initializer_created = create_pro_initializer
         legacy_renderer_detected = create_node_renderer
         add_pro_to_procfiles unless legacy_renderer_detected
         update_webpack_config_for_pro
 
+        say_renderer_password_setup_summary(initializer_created)
+
         say set_color("=" * 80, :cyan)
         say "✅ React on Rails Pro setup complete!", :green
         say set_color("=" * 80, :cyan)
       end
 
+      def say_renderer_password_setup_summary(initializer_created)
+        if @generated_renderer_password
+          say ""
+          say set_color("🔐 A random renderer password was written into your config files.", :yellow, :bold)
+          say "   For production, set RENDERER_PASSWORD as an env var instead and"
+          say "   remove the literal value from version control."
+          say "   See: https://www.shakacode.com/react-on-rails/docs/pro/node-renderer/"
+          say ""
+        elsif initializer_created
+          # Initializer was newly created but the Node renderer file already exists;
+          # the new initializer falls back to ENV["RENDERER_PASSWORD"] only so it doesn't
+          # disagree with whatever literal the existing renderer file contains.
+          say ""
+          say set_color("⚠️  Existing Node renderer detected — Rails initializer uses " \
+                        "ENV[\"RENDERER_PASSWORD\"] only.", :yellow, :bold)
+          say "   Set RENDERER_PASSWORD in your environment to match the password in your existing renderer."
+          say ""
+        end
+      end
+
+      def pro_initializer_will_be_created?
+        !File.exist?(File.join(destination_root, "config/initializers/react_on_rails_pro.rb"))
+      end
+
+      def node_renderer_will_be_created?
+        !File.exist?(File.join(destination_root, "renderer/node-renderer.js")) &&
+          !File.exist?(File.join(destination_root, "client/node-renderer.js"))
+      end
+
       # Check if the Pro gem is missing. When the base react_on_rails gem is in
       # the Gemfile, installation is deferred to the later Gemfile swap (which
       # preserves the user's version pin); otherwise auto-install via `bundle
@@ -205,14 +248,18 @@ module ReactOnRails
 
         if File.exist?(File.join(destination_root, initializer_path))
           say "ℹ️  #{initializer_path} already exists, skipping", :yellow
-          return
+          return false
         end
 
         say "📝 Creating React on Rails Pro initializer...", :yellow
 
+        # @generated_renderer_password is set by setup_pro only when both this
+        # file and the Node renderer bootstrap will be created together; nil here
+        # means the template emits the env-only fallback (no literal password).
         template("templates/pro/base/config/initializers/react_on_rails_pro.rb.tt", initializer_path)
 
         say "✅ Created #{initializer_path}", :green
+        true
       end
 
       # Matches active (uncommented) Procfile.dev node-renderer lines that
@@ -267,6 +314,11 @@ module ReactOnRails
               "to migrate, move it to #{node_renderer_path} and update any references " \
               "(e.g. Procfile.dev, Procfile.prod, Docker CMD / command):", :yellow
           say "      #{node_renderer_procfile_command('Procfile.dev')}", :yellow
+          say set_color(
+            "⚠️  Ensure the password in #{legacy_node_renderer_path} matches " \
+            "config/initializers/react_on_rails_pro.rb. Both must use the same RENDERER_PASSWORD.",
+            :yellow
+          )
           warn_on_stale_legacy_procfile_entry
           return true
         end
@@ -275,8 +327,8 @@ module ReactOnRails
 
         empty_directory("renderer")
 
-        template_path = "templates/pro/base/renderer/node-renderer.js"
-        copy_file(template_path, node_renderer_path)
+        template_path = "templates/pro/base/renderer/node-renderer.js.tt"
+        template(template_path, node_renderer_path)
 
         say "✅ Created #{node_renderer_path}", :green
         false

data/lib/generators/react_on_rails/rsc_setup/client_references.rb

@@ -123,7 +123,7 @@ module ReactOnRails
         def update_existing_rsc_webpack_config(config_path, content, is_server:)
           return unless rsc_plugin_sections_safe_to_rewrite?(config_path, content, is_server: is_server)
           return if rsc_plugin_uses_scoped_client_references?(content, is_server: is_server)
-          return unless rsc_client_references_rewrite_needed?(config_path, content, is_server: is_server)
+          return unless prepare_rsc_client_references_rewrite!(config_path, content, is_server: is_server)
 
           return if rewrite_rsc_plugin_client_references(config_path, is_server: is_server)
 
@@ -131,25 +131,31 @@ module ReactOnRails
           warn_missing_rsc_plugin_target(config_path, is_server: is_server)
         end
 
-        def rsc_client_references_rewrite_needed?(config_path, content, is_server:)
-          # This predicate prepares the rewrite too: when it returns true, the scoped helper
-          # may already have been injected on disk so `rewrite_rsc_plugin_client_references`
-          # can re-read fresh content with valid offsets.
+        def prepare_rsc_client_references_rewrite!(config_path, content, is_server:)
+          # This prepares the rewrite and returns whether it should continue. When it returns true,
+          # the scoped helper may already have been injected on disk so
+          # `rewrite_rsc_plugin_client_references` can re-read fresh content with valid offsets.
           if rsc_plugin_references_any_scoped_client_references?(content, is_server: is_server)
             return false unless ensure_rsc_client_references_setup(config_path, content, is_server: is_server)
 
-            return rsc_plugin_without_client_references?(content, is_server: is_server)
+            return rsc_plugin_needs_client_references_rewrite?(content, is_server: is_server)
           end
 
           rewritable_rsc_plugin?(config_path, content, is_server: is_server) &&
             ensure_rsc_client_references_setup(config_path, content, is_server: is_server)
         end
 
+        def rsc_plugin_needs_client_references_rewrite?(content, is_server:)
+          any_rsc_plugin_section_without_client_references?(content, is_server: is_server)
+        end
+
         # Detects RSCWebpackPlugin option blocks that the lightweight JS scanner could not parse
         # cleanly (most often a regex literal with an unmatched `{` / `}` that walks the depth
         # counter past the real closing brace). When found, we warn and refuse to rewrite anything
         # in the file so a sibling rewrite cannot accidentally splice into a wrong location.
         def rsc_plugin_sections_safe_to_rewrite?(config_path, content, is_server:)
+          # `:unparseable` is file-wide: the partitioner increments it before filtering parseable
+          # sections by the current `is_server` target.
           unparseable = rsc_plugin_option_sections_partition(content, is_server: is_server).fetch(:unparseable)
           return true if unparseable.zero?
 
@@ -160,7 +166,7 @@ module ReactOnRails
         def rewritable_rsc_plugin?(config_path, content, is_server:)
           # Mixed same-target plugins are still rewritable: the later rewrite only updates plugins
           # missing clientReferences and leaves sibling custom clientReferences untouched.
-          return true if rsc_plugin_without_client_references?(content, is_server: is_server)
+          return true if any_rsc_plugin_section_without_client_references?(content, is_server: is_server)
 
           if rsc_plugin_defines_client_references?(content, is_server: is_server)
             GeneratorMessages.add_warning(
@@ -258,18 +264,24 @@ module ReactOnRails
           end
         end
 
-        def rsc_plugin_without_client_references?(content, is_server:)
+        # Existential check: returns true when at least one matching plugin section is missing a
+        # top-level `clientReferences:` key. Pairs with `rsc_plugin_defines_client_references?`,
+        # which uses the same any-section semantics for the opposite condition. The two are not
+        # complements when multiple plugin sections exist — a file with one configured plugin and
+        # one unconfigured plugin returns true from both.
+        def any_rsc_plugin_section_without_client_references?(content, is_server:)
           rsc_plugin_option_sections(content, is_server: is_server).any? do |section|
             !rsc_plugin_body_has_top_level_key?(section.fetch(:body), "clientReferences")
           end
         end
 
         # Strips JavaScript line and block comments while preserving string-literal contents,
-        # so `clientReferences:` / `isServer:` substrings inside strings are not mis-detected.
+        # including simple `${...}` template-literal interpolation, so `clientReferences:` /
+        # `isServer:` substrings inside strings are not mis-detected.
         # Shares the `advance_js_scan_state` family used by `js_top_level_position?` and
         # `matching_js_closing_brace` so all JS-aware passes follow the same comment/string rules.
-        # Regex literals (e.g. `/a{2}/`) are still outside this scanner's supported surface
-        # because brace quantifiers can confuse `matching_js_closing_brace`'s depth counter.
+        # See `advance_js_scan_state` for the scanner's supported surface (including the regex-
+        # literal and nested-template-literal limits that callers must be aware of).
         def rsc_plugin_options_without_comments(options)
           result = String.new(capacity: options.length)
           state = nil
@@ -429,15 +441,15 @@ module ReactOnRails
         end
 
         # Expects `content[open_index] == "{"`; callers pass the options-object opening brace.
-        # This lightweight scanner treats template literals as opaque strings (backtick to backtick).
-        # Simple `${...}` expressions are handled correctly: while in the backtick state every
-        # character — including `{` and `}` inside the expression — is consumed as string content
-        # and never reaches the depth counter. The real unsupported case is *nested* template
-        # literals (e.g. `` `outer ${`inner`}` ``) where the inner backtick falsely closes the outer
-        # string state, exposing later braces to the depth counter. Callers detect that via
-        # `rsc_plugin_options_followed_by_close_paren?` and mark the section unparseable rather
-        # than producing a corrupt rewrite. Regex literals are outside this scanner's supported
-        # surface for the same reason.
+        # This lightweight scanner supports strings (including template literals for simple
+        # `${...}` interpolation) plus JS line/block comments. It does not classify regex
+        # literals, so braces inside constructs such as `/a{2}/` or `/[{]/` can be counted as
+        # object braces. Nested template literals (for example, `outer ${`inner`}`) are also
+        # unsupported: the inner backtick falsely closes the outer string state, exposing later
+        # braces to the depth counter. `rsc_plugin_options_without_comments` shares the same
+        # supported surface, and callers detect corrupted sections via
+        # `rsc_plugin_options_followed_by_close_paren?` so the migration warns instead of
+        # producing a corrupt rewrite.
         def matching_js_closing_brace(content, open_index)
           depth = 0
           index = open_index
@@ -470,8 +482,51 @@ module ReactOnRails
           nil
         end
 
-        # Return index is the last consumed character. Line comments leave the newline
-        # for the caller's normal index increment; block comments consume the closing slash.
+        # Central dispatcher for the lightweight JS scanner shared by every JS-aware pass in this
+        # generator (`matching_js_closing_brace`, `js_top_level_position?`, `js_code_position?`,
+        # `rsc_plugin_options_without_comments`, `first_significant_js_index`,
+        # `rsc_plugin_options_followed_by_close_paren?`, `last_js_code_char_index`,
+        # `last_js_code_line_start`). Return index is the last consumed character. Line comments
+        # leave the newline for the caller's normal index increment; block comments consume the
+        # closing slash.
+        #
+        # Supported lexical constructs:
+        # - Line comments (`// ...\n`) and block comments (`/* ... */`).
+        # - Single-quoted (`'...'`), double-quoted (`"..."`), and template-literal (`` `...` ``)
+        #   strings, including escape sequences and the simple `${expr}` interpolation form
+        #   (interpolation braces stay inside the string state and never reach the depth counter).
+        #
+        # Outside the supported surface for callers that do **not** run `js_regex_literal_start?`
+        # preprocessing (e.g. `matching_js_closing_brace`, `rsc_plugin_options_without_comments`),
+        # the scanner cannot distinguish these from the syntax they shadow, so `{`/`}` characters
+        # they contain can confuse the depth counter. `js_top_level_position?` and
+        # `js_code_position?` handle regex literals via their own pre-pass and are unaffected.
+        # - Regex literals (e.g. `/a{2}/`, `/\{/`, `/[{]/`): not recognized as a distinct state,
+        #   so brace-containing patterns walk the depth counter past the real options close. The
+        #   user-facing warning text in `warn_unparseable_rsc_plugin_sections` calls these out
+        #   explicitly.
+        # - Nested template literals (`` `outer ${`inner`}` ``): the inner backtick falsely closes
+        #   the outer string state, exposing later braces to the depth counter.
+        #
+        # The downstream `rsc_plugin_option_sections_partition` catches both failure modes by
+        # requiring the matched closing `}` to be followed by `)`. When it isn't, the section is
+        # marked unparseable and `warn_unparseable_rsc_plugin_sections` asks the user to add
+        # `clientReferences:` manually — the migration declines to rewrite rather than risk
+        # corrupting the config.
+        #
+        # Future expansion (only worth doing if a real-world RSC plugin options block needs it):
+        # 1. Add a `:regex_literal` state alongside the string and comment states. Track regex
+        #    contexts by detecting `/` after a token that legally precedes a regex literal
+        #    (`=`, `(`, `,`, `:`, `;`, `?`, `!`, `&&`, `||`, `return`, `typeof`, etc.) and consume
+        #    until the unescaped closing `/` plus any flags. The token-context check is necessary
+        #    because the same `/` character means division in expression position.
+        # 2. Add a stack-based template-literal state so nested `` `...${`inner`}...` `` pairs
+        #    track depth instead of toggling a single boolean state.
+        # Regex literals require expanding `advance_js_default_scan_state`; nested template
+        # literals would also require replacing `advance_js_string_state` with stack-aware
+        # handling. Both changes need a new state-machine branch; the current callers were
+        # specifically designed around the simpler scanner and would need re-validation against
+        # the expanded state set.
         #
         # IMPORTANT CALLER CONTRACT — block-comment exit:
         # When this returns from a `*/` exit, `state` is cleared, but `char` is still the `*` and
@@ -909,13 +964,12 @@ module ReactOnRails
         # generator has already confirmed `RSCWebpackPlugin` is imported in the file. That's why
         # this helper deliberately omits the `RSCWebpackPlugin` import that `inject_rsc_*_imports`
         # adds on the from-scratch path — adding it here would produce a duplicate import.
+        # Must only be called via `ensure_rsc_client_references_setup`, which has already verified
+        # that no module-scope `rscClientReferences` declaration exists and that the import anchor
+        # is present and not yet consumed by a previous call. Bypassing that guard can write a
+        # duplicate `const rscClientReferences` declaration and leave the user's webpack config with
+        # a Node SyntaxError at load time.
         def add_rsc_client_references_setup(config_path, content, existing_imports_content, is_server:)
-          # Belt-and-suspenders: the only caller, `ensure_rsc_client_references_setup`, already
-          # checks both `scoped_rsc_client_references_defined?` and `rsc_client_references_defined?`
-          # before delegating here. The guards are kept so the helper is safe to call directly.
-          return false if scoped_rsc_client_references_defined?(content)
-          return false if rsc_client_references_defined?(content)
-
           replace_rsc_client_references_setup_anchor(config_path, content, is_server: is_server) do |anchor|
             join_rsc_client_references_setup(
               content,

data/lib/generators/react_on_rails/templates/pro/base/config/initializers/react_on_rails_pro.rb.tt

@@ -7,7 +7,12 @@ ReactOnRailsPro.configure do |config|
   config.renderer_url = ENV.fetch("REACT_RENDERER_URL", "http://localhost:3800")
 
   # See value in renderer/node-renderer.js
-  config.renderer_password = ENV.fetch("RENDERER_PASSWORD", "devPassword")
+  # For production, set RENDERER_PASSWORD as an env var and remove the literal fallback.
+<% if @generated_renderer_password -%>
+  config.renderer_password = ENV.fetch("RENDERER_PASSWORD", "<%= @generated_renderer_password %>")
+<% else -%>
+  config.renderer_password = ENV["RENDERER_PASSWORD"]
+<% end -%>
 
   config.ssr_timeout = 5
   config.renderer_request_retry_limit = 1

data/lib/generators/react_on_rails/templates/pro/base/renderer/{node-renderer.js → node-renderer.js.tt}

@@ -12,7 +12,12 @@ const config = {
   logLevel: env.RENDERER_LOG_LEVEL || 'info',
 
   // See value in /config/initializers/react_on_rails_pro.rb
-  password: env.RENDERER_PASSWORD || 'devPassword',
+  // For production, set RENDERER_PASSWORD as an env var and remove the literal fallback.
+<% if @generated_renderer_password -%>
+  password: env.RENDERER_PASSWORD ?? '<%= @generated_renderer_password %>',
+<% else -%>
+  password: env.RENDERER_PASSWORD,
+<% end -%>
 
   // Number of Node.js worker threads for SSR rendering
   // Set RENDERER_WORKERS_COUNT env var to override (e.g., for production tuning)

data/lib/react_on_rails/doctor.rb

@@ -94,7 +94,8 @@ module ReactOnRails
       "scripts/deploy.sh",
       ".circleci/config.yml",
       ".gitlab-ci.yml",
-      "bitbucket-pipelines.yml"
+      "bitbucket-pipelines.yml",
+      "Jenkinsfile"
     ].freeze
     # Bounded glob allowlist for deploy manifests that live in a known directory
     # but use per-environment or per-workflow filenames. Each pattern matches
@@ -2898,20 +2899,29 @@ module ReactOnRails
       checker.add_warning("⚠️  Could not complete scan for deprecated renderer-cache task references: #{e.message}")
     end
 
-    def deploy_script_references_deprecated_task?(full_path)
-      # Only `#` comments matter for the scanned file types: Procfile, Dockerfile*,
-      # and bin/* scripts all use `#`. None use `//`, so we don't filter it.
-      # The trailing-comment strip requires whitespace before `#`, so a fragment
-      # like `task#name` stays intact while `cmd # was: <deprecated>` is filtered.
+    def deploy_script_references_deprecated_task?(full_path, path)
+      comment_prefixes = renderer_cache_deploy_script_comment_prefixes(path)
+
+      # The trailing-comment strip requires whitespace before the comment marker,
+      # so fragments like `task#name` stay intact while `cmd # was: <deprecated>`
+      # and Jenkinsfile `cmd // was: <deprecated>` comments are filtered.
       full_path.binread.each_line.any? do |line|
         stripped = line.lstrip
-        next false if stripped.start_with?("#")
+        next false if comment_prefixes.any? { |prefix| stripped.start_with?(prefix) }
 
-        without_inline_comment = stripped.sub(/ +#.*/, "")
+        without_inline_comment = comment_prefixes.reduce(stripped) do |content, prefix|
+          content.sub(/ +#{Regexp.escape(prefix)}.*/, "")
+        end
         without_inline_comment.include?(DEPRECATED_RENDERER_CACHE_TASK)
       end
     end
 
+    def renderer_cache_deploy_script_comment_prefixes(path)
+      return ["#", "//"] if path == "Jenkinsfile"
+
+      ["#"]
+    end
+
     def deploy_script_path_references_deprecated_task?(path)
       full_path = Rails.root.join(path)
 
@@ -2920,7 +2930,7 @@ module ReactOnRails
       # deploy scripts and CI manifests should be tiny.
       return false if full_path.size > RENDERER_CACHE_DEPLOY_SCRIPT_MAX_BYTES
 
-      deploy_script_references_deprecated_task?(full_path)
+      deploy_script_references_deprecated_task?(full_path, path)
     rescue StandardError => e
       checker.add_warning(
         "⚠️  Could not scan #{path} for deprecated renderer-cache task references: #{e.message}"

data/lib/react_on_rails/engine.rb

@@ -170,7 +170,8 @@ module ReactOnRails
       return if env_config_path.to_s.empty?
 
       Rails.logger&.warn(
-        "[React on Rails] SHAKAPACKER_CONFIG is set to '#{env_config_path}' but the file " \
+        "[React on Rails] SHAKAPACKER_CONFIG is set to '#{env_config_path}' " \
+        "(resolved to '#{shakapacker_config_path}') but the file " \
         "does not exist. Bundler detection treated Shakapacker as not configured for this app; " \
         "fix the path or unset the variable if this is unintended."
       )

data/lib/react_on_rails/helper.rb

@@ -710,12 +710,46 @@ module ReactOnRails
       raise ReactOnRails::PrerenderError.new(
         component_name: react_component_name,
         props: sanitized_props_string(props),
-        err: nil,
+        err: rendering_error_from_result(json_result),
         js_code: js_code,
         console_messages: json_result["consoleReplayScript"]
       )
     end
 
+    def rendering_error_from_result(json_result)
+      rendering_error = json_result["renderingError"]
+      return unless rendering_error.is_a?(Hash)
+
+      stack = rendering_error["stack"]
+      # Mirror the JS `buildRSCStreamDiagnosticError` fallback: a renderingError that carries only
+      # a stack (no message) should still surface a diagnostic rather than be silently dropped.
+      message = rendering_error["message"].presence ||
+                (stack.present? ? "RSC stream metadata reported a rendering error" : nil)
+      return if message.nil?
+
+      error = StandardError.new(message)
+      frames = normalize_js_stack_lines(stack)
+      error.set_backtrace(frames) unless frames.empty?
+      error
+    end
+
+    # V8 stack strings begin with a `"TypeError: ..."` header line — and chained-exception stacks
+    # add further non-frame headers mid-stack (e.g. `Caused by: ...`) — none of which match Ruby's
+    # `file:line:in 'method'` backtrace format. Keep only the `at <frame>` lines so backtrace
+    # cleaners and APM tools that ship the array raw don't choke on unparseable strings.
+    # Frames are also `.strip`-ed to drop V8's leading indentation, which Ruby backtraces never carry.
+    #
+    # When the stack has no `at <frame>` lines (e.g. a header-only or non-V8 string) this returns
+    # `[]`, leaving the backtrace nil rather than seeding it with unparseable header lines.
+    def normalize_js_stack_lines(stack)
+      # Only V8 string stacks are parseable here. A non-String stack (e.g. an array of frames
+      # from a non-V8 serializer) would otherwise be `to_s`-ed into Ruby array syntax and yield
+      # no usable frames — guard explicitly so the no-backtrace path is intentional, not garbage.
+      return [] unless stack.is_a?(String)
+
+      stack.lines.map { |line| line.chomp.strip }.select { |line| line.start_with?("at ") }
+    end
+
     def should_raise_streaming_prerender_error?(chunk_json_result, render_options)
       chunk_json_result["hasErrors"] &&
         (if chunk_json_result["isShellReady"]

data/lib/react_on_rails/prerender_error.rb

@@ -61,12 +61,7 @@ module ReactOnRails
 
         MSG
 
-        backtrace = if Utils.full_text_errors_enabled?
-                      err.backtrace.join("\n")
-                    else
-                      "#{Rails.backtrace_cleaner.clean(err.backtrace).join("\n")}\n" +
-                        Rainbow("💡 Tip: Set FULL_TEXT_ERRORS=true to see the full backtrace").yellow
-                    end
+        backtrace = formatted_backtrace(err)
       else
         backtrace = nil
       end
@@ -95,6 +90,19 @@ module ReactOnRails
       # rubocop:enable Metrics/AbcSize
     end
 
+    # Formats `err.backtrace` for display, or returns nil when there are no frames.
+    def formatted_backtrace(err)
+      error_backtrace = err.backtrace
+      # JS-originated errors (e.g. an RSC renderingError carrying a message but no parseable
+      # stack) have no Ruby backtrace. Skip it rather than crashing on `nil.join` /
+      # `Rails.backtrace_cleaner.clean(nil)`.
+      return nil if error_backtrace.nil? || error_backtrace.empty?
+      return error_backtrace.join("\n") if Utils.full_text_errors_enabled?
+
+      "#{Rails.backtrace_cleaner.clean(error_backtrace).join("\n")}\n" +
+        Rainbow("💡 Tip: Set FULL_TEXT_ERRORS=true to see the full backtrace").yellow
+    end
+
     # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
     def build_troubleshooting_suggestions(component_name, err, console_messages)
       suggestions = []

data/lib/react_on_rails/test_helper/webpack_assets_compiler.rb

@@ -13,7 +13,7 @@ module ReactOnRails
           exit!(1)
         end
 
-        puts "\nBuilding Webpack assets..."
+        puts "\nBuilding assets..."
 
         cmd = ReactOnRails::Utils.prepend_cd_node_modules_directory(
           ReactOnRails.configuration.build_test_command
@@ -21,7 +21,7 @@ module ReactOnRails
 
         ReactOnRails::Utils.invoke_and_exit_if_failed(cmd, compilation_failed_message)
 
-        puts "Completed building Webpack assets."
+        puts "Completed building assets."
       end
 
       private
@@ -49,14 +49,14 @@ module ReactOnRails
 
       def compilation_failed_message
         <<~MSG
-          React on Rails: Error building webpack assets!
+          React on Rails: Error building test assets!
 
           The build_test_command failed. This means test assets could not be compiled.
 
           Quick alternatives to get unblocked:
             • Run 'bin/dev static' in another terminal (assets auto-reuse for tests)
             • Run 'bin/dev test-watch' to keep test assets fresh in the background
-            • Run 'RAILS_ENV=test bin/shakapacker' manually to compile once
+            • Run '#{ReactOnRails.configuration.build_test_command}' manually to compile once
 
           For full details: #{TESTING_DOCS_URL}
           Run 'bin/dev --help' for development server modes.

data/lib/react_on_rails/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ReactOnRails
-  VERSION = "16.7.0.rc.3"
+  VERSION = "17.0.0.rc.0"
 end

data/rakelib/lint.rake

@@ -37,7 +37,7 @@ namespace :lint do # rubocop:disable Metrics/BlockLength
   private
 
   def stylelint_command
-    "pnpm run stylelint \"spec/dummy/app/assets/stylesheets/**/*.scss\" \"spec/dummy/client/**/*.scss\""
+    "pnpm run lint:scss"
   end
 
   def stylelint_fix_command

data/rakelib/run_rspec.rake

@@ -69,8 +69,6 @@ namespace :run_rspec do
     env_vars_array = []
     env_vars_array << rbs_runtime_env_vars unless rbs_runtime_env_vars.empty?
     env_vars_array << "DISABLE_TURBOLINKS=TRUE"
-    # This task intentionally runs with a different Gemfile view where the turbolinks gem is excluded.
-    env_vars_array << "BUNDLE_FROZEN=false"
     env_vars = env_vars_array.join(" ")
     run_tests_in(spec_dummy_dir,
                  env_vars: env_vars,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: react_on_rails
 version: !ruby/object:Gem::Version
-  version: 16.7.0.rc.3
+  version: 17.0.0.rc.0
 platform: ruby
 authors:
 - Justin Gordon
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-05-27 00:00:00.000000000 Z
+date: 2026-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -192,7 +192,7 @@ files:
 - lib/generators/react_on_rails/templates/dev_tests/spec/system/hello_server_spec.rb
 - lib/generators/react_on_rails/templates/dev_tests/spec/system/hello_world_spec.rb
 - lib/generators/react_on_rails/templates/pro/base/config/initializers/react_on_rails_pro.rb.tt
-- lib/generators/react_on_rails/templates/pro/base/renderer/node-renderer.js
+- lib/generators/react_on_rails/templates/pro/base/renderer/node-renderer.js.tt
 - lib/generators/react_on_rails/templates/redux/base/app/javascript/bundles/HelloWorld/actions/helloWorldActionCreators.js
 - lib/generators/react_on_rails/templates/redux/base/app/javascript/bundles/HelloWorld/actions/helloWorldActionCreators.ts
 - lib/generators/react_on_rails/templates/redux/base/app/javascript/bundles/HelloWorld/components/HelloWorld.jsx