react_on_rails_pro 16.5.1 → 16.6.0.rc.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 555e14ff0b3a9fe0dbdf0d03195d25512f535ce488f426f8258af5dde9e93fa3
-  data.tar.gz: 2aa2508ce583c9b6c3907f990d8a07ce151c122a610524f89ea8a4b5fc75218c
+  metadata.gz: 3c916f9674e2623f411de371a45f7a4016780b2f0f2b267b2be6adc00b73e256
+  data.tar.gz: ea25bb1c946748b59252d44a5e42bdab08b9782d062ac1e03d35480e1d080f2f
 SHA512:
-  metadata.gz: 58c950e2ace03c47a86777a398e8260d1ab67a0d28a9838431be74e181c6345af08e8ecf99d8500a179a4c62c9e871af9aa1ceef5991f199452cc2c3cdea0b6a
-  data.tar.gz: 8df15aa0b502450842d744049f7f17aff8843b0afddccf0d97cdb926d0497fdf26cb6e834ca781ec4bd532e9ddf01bc237d14643a088eb8f854d1ea969bb840f
+  metadata.gz: 377bbdc3a94e443fa1fda13389603f1593a8fe3457af9ccc66ebfe5b710164cf1b7a225886d44e44edec6a73fd4bb4cd31813ee2c6f57f02c884efb79a1fb14f
+  data.tar.gz: c23fcc4de60626c285b8aeb47fb9b334fac21b57950976aa947be27e51831e3ef221a9e482fb3ba4dccaf693bd2aa755ab13f802780b27eca0411ac65dbca83a

data/CONTRIBUTING.md

@@ -46,7 +46,7 @@ From [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/
 
 ## Doc Changes
 
-When making doc changes, we want the change to work on both [the React on Rails docs site](https://reactonrails.com/docs/pro) and when browsing the GitHub repo.
+When making doc changes, we want the change to work on both [the React on Rails docs site](https://reactonrails.com/docs/pro/) and when browsing the GitHub repo.
 For links from docs pages to non-doc files, use full GitHub URLs so links resolve correctly in both contexts.
 
 ### Links to other docs:

data/Gemfile.lock

@@ -9,7 +9,7 @@ GIT
 PATH
   remote: ..
   specs:
-    react_on_rails (16.5.1)
+    react_on_rails (16.6.0.rc.1)
       addressable
       connection_pool
       execjs (~> 2.5)
@@ -20,7 +20,7 @@ PATH
 PATH
   remote: .
   specs:
-    react_on_rails_pro (16.5.1)
+    react_on_rails_pro (16.6.0.rc.1)
       addressable
       async (>= 2.29)
       connection_pool
@@ -29,7 +29,7 @@ PATH
       httpx (~> 1.5)
       jwt (~> 2.7)
       rainbow
-      react_on_rails (= 16.5.1)
+      react_on_rails (= 16.6.0.rc.1)
 
 GEM
   remote: https://rubygems.org/
@@ -217,7 +217,7 @@ GEM
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     logger (1.7.0)
-    loofah (2.25.0)
+    loofah (2.25.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.9.0)
@@ -249,11 +249,11 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.5)
-    nokogiri (1.19.1-arm64-darwin)
+    nokogiri (1.19.2-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.19.1-x86_64-darwin)
+    nokogiri (1.19.2-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.19.1-x86_64-linux-gnu)
+    nokogiri (1.19.2-x86_64-linux-gnu)
       racc (~> 1.4)
     package_json (0.2.0)
     parallel (1.27.0)

data/app/helpers/react_on_rails_pro_helper.rb

@@ -128,7 +128,10 @@ module ReactOnRailsProHelper
     # stream_react_component doesn't have the prerender option
     # Because setting prerender to false is equivalent to calling react_component with prerender: false
     options[:prerender] = true
-    options = options.merge(immediate_hydration: true) unless options.key?(:immediate_hydration)
+    if options.key?(:immediate_hydration)
+      ReactOnRails::Helper.warn_removed_immediate_hydration_option("stream_react_component")
+      options.delete(:immediate_hydration)
+    end
 
     # Extract streaming-specific callback
     on_complete = options.delete(:on_complete)

data/lib/react_on_rails_pro/configuration.rb

@@ -15,6 +15,7 @@ module ReactOnRailsPro
       renderer_http_pool_size: Configuration::DEFAULT_RENDERER_HTTP_POOL_SIZE,
       renderer_http_pool_timeout: Configuration::DEFAULT_RENDERER_HTTP_POOL_TIMEOUT,
       renderer_http_pool_warn_timeout: Configuration::DEFAULT_RENDERER_HTTP_POOL_WARN_TIMEOUT,
+      renderer_http_keep_alive_timeout: Configuration::DEFAULT_RENDERER_HTTP_KEEP_ALIVE_TIMEOUT,
       renderer_password: nil,
       tracing: Configuration::DEFAULT_TRACING,
       dependency_globs: Configuration::DEFAULT_DEPENDENCY_GLOBS,
@@ -44,6 +45,7 @@ module ReactOnRailsPro
     DEFAULT_RENDERER_HTTP_POOL_SIZE = 10
     DEFAULT_RENDERER_HTTP_POOL_TIMEOUT = 5
     DEFAULT_RENDERER_HTTP_POOL_WARN_TIMEOUT = 0.25
+    DEFAULT_RENDERER_HTTP_KEEP_ALIVE_TIMEOUT = 30
     DEFAULT_SSR_TIMEOUT = 5
     DEFAULT_PRERENDER_CACHING = false
     DEFAULT_TRACING = false
@@ -72,7 +74,7 @@ module ReactOnRailsPro
                   :rsc_payload_generation_url_path, :rsc_bundle_js_file, :react_client_manifest_file,
                   :react_server_client_manifest_file
 
-    attr_reader :concurrent_component_streaming_buffer_size
+    attr_reader :concurrent_component_streaming_buffer_size, :renderer_http_keep_alive_timeout
 
     # Sets the buffer size for concurrent component streaming.
     #
@@ -91,10 +93,23 @@ module ReactOnRailsPro
       @concurrent_component_streaming_buffer_size = value
     end
 
+    # Sets the keep-alive timeout (in seconds) for persistent HTTP connections to the node renderer.
+    #
+    # @param value [Numeric, nil] A positive number or nil (to use the HTTPX default)
+    # @raise [ReactOnRailsPro::Error] if value is not a positive number or nil
+    def renderer_http_keep_alive_timeout=(value)
+      unless value.nil? || (value.is_a?(Numeric) && value.positive? && value.finite?)
+        raise ReactOnRailsPro::Error,
+              "config.renderer_http_keep_alive_timeout must be a finite positive number or nil"
+      end
+      @renderer_http_keep_alive_timeout = value
+    end
+
     def initialize(renderer_url: nil, renderer_password: nil, server_renderer: nil, # rubocop:disable Metrics/AbcSize
                    renderer_use_fallback_exec_js: nil, prerender_caching: nil,
                    renderer_http_pool_size: nil, renderer_http_pool_timeout: nil,
-                   renderer_http_pool_warn_timeout: nil, tracing: nil,
+                   renderer_http_pool_warn_timeout: nil, renderer_http_keep_alive_timeout: nil,
+                   tracing: nil,
                    dependency_globs: nil, excluded_dependency_globs: nil, rendering_returns_promises: nil,
                    remote_bundle_cache_adapter: nil, ssr_pre_hook_js: nil, assets_to_copy: nil,
                    renderer_request_retry_limit: nil, throw_js_errors: nil, ssr_timeout: nil,
@@ -111,6 +126,7 @@ module ReactOnRailsPro
       self.renderer_http_pool_size = renderer_http_pool_size
       self.renderer_http_pool_timeout = renderer_http_pool_timeout
       self.renderer_http_pool_warn_timeout = renderer_http_pool_warn_timeout
+      self.renderer_http_keep_alive_timeout = renderer_http_keep_alive_timeout
       self.tracing = tracing
       self.rendering_returns_promises = server_renderer == "NodeRenderer" ? rendering_returns_promises : false
       self.dependency_globs = dependency_globs
@@ -229,10 +245,68 @@ module ReactOnRailsPro
     end
 
     def setup_renderer_password
+      # Explicit passwords, including values loaded from ENV in the initializer, skip URL extraction.
+      # Blank values (nil or "") fall through so URL extraction and ENV fallback still apply.
       return if renderer_password.present?
 
       uri = URI(renderer_url)
       self.renderer_password = uri.password
+
+      # Mirror Node-side defaults: if Rails config and URL are both missing a password,
+      # use RENDERER_PASSWORD from env.
+      self.renderer_password = ENV.fetch("RENDERER_PASSWORD", nil) if renderer_password.blank?
+
+      validate_renderer_password_for_production
+    end
+
+    def validate_renderer_password_for_production
+      # Defense-in-depth: skip validation when a password is already configured (e.g. extracted
+      # from the renderer URL by setup_renderer_password, or set directly in the initializer).
+      return if renderer_password.present?
+      return unless node_renderer?
+
+      # Fail closed: only skip validation when RAILS_ENV is explicitly set to development or test.
+      # Rails.env defaults to "development" when RAILS_ENV is unset, which would silently skip
+      # validation in misconfigured environments. Checking ENV["RAILS_ENV"] directly matches the
+      # Node-side behavior where an unset environment is treated as production-like.
+      rails_env = ENV["RAILS_ENV"]&.downcase
+      return if rails_env.present? && %w[development test].include?(rails_env)
+
+      raise ReactOnRailsPro::Error, <<~MSG
+        RENDERER_PASSWORD must be set in production-like environments (staging, production, etc.)
+        when using the NodeRenderer.
+
+        In development and test environments, the renderer password is optional and no authentication
+        is required. In all other environments, you must explicitly configure a password to secure
+        communication between Rails and the Node Renderer.
+
+        To fix this, set the RENDERER_PASSWORD environment variable:
+
+          export RENDERER_PASSWORD="your-secure-password"
+
+        Rails reads it automatically. If you prefer to make it explicit in your initializer:
+
+          # config/initializers/react_on_rails_pro.rb
+          ReactOnRailsPro.configure do |config|
+            config.renderer_password = ENV.fetch("RENDERER_PASSWORD")
+          end
+
+        Set the same password for the Node Renderer via the RENDERER_PASSWORD environment variable.
+        Rails resolves the password in this order:
+          1) config.renderer_password (blank values fall through to the next step)
+          2) Password embedded in config.renderer_url (for example, https://:password@host:3800)
+          3) ENV["RENDERER_PASSWORD"]
+
+        If Rails and the Node Renderer disagree about startup behavior, verify both RAILS_ENV and NODE_ENV.
+
+        Environment matrix:
+          development    — password optional (no authentication)
+          test           — password optional (no authentication)
+          (RAILS_ENV unset) — treated as production-like; RENDERER_PASSWORD required
+          staging        — RENDERER_PASSWORD required
+          production     — RENDERER_PASSWORD required
+          (any other)    — RENDERER_PASSWORD required
+      MSG
     end
   end
 end

data/lib/react_on_rails_pro/constants.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ReactOnRailsPro
+  # Status code 400 indicates the renderer rejected the request payload or encountered an unhandled render error.
+  STATUS_BAD_REQUEST = 400
   # Status code 410 means to resend the request with the updated bundle.
   STATUS_SEND_BUNDLE = 410
   # Status code 412 means protocol versions are incompatible between the server and the renderer.

data/lib/react_on_rails_pro/request.rb

@@ -297,11 +297,11 @@ module ReactOnRailsPro
             # :write_timeout
             # :request_timeout
             # :operation_timeout
-            # :keep_alive_timeout
             timeout: {
               connect_timeout: ReactOnRailsPro.configuration.renderer_http_pool_timeout,
-              read_timeout: ReactOnRailsPro.configuration.ssr_timeout
-            }
+              read_timeout: ReactOnRailsPro.configuration.ssr_timeout,
+              keep_alive_timeout: ReactOnRailsPro.configuration.renderer_http_keep_alive_timeout
+            }.compact
           )
       rescue StandardError => e
         message = <<~MSG
@@ -309,6 +309,7 @@ module ReactOnRailsPro
           renderer_http_pool_size = #{ReactOnRailsPro.configuration.renderer_http_pool_size}
           renderer_http_pool_timeout = #{ReactOnRailsPro.configuration.renderer_http_pool_timeout}
           renderer_http_pool_warn_timeout = #{ReactOnRailsPro.configuration.renderer_http_pool_warn_timeout}
+          renderer_http_keep_alive_timeout = #{ReactOnRailsPro.configuration.renderer_http_keep_alive_timeout}
           renderer_url = #{url}
           Be sure to use a url that contains the protocol of http or https.
           Original error is

data/lib/react_on_rails_pro/server_rendering_pool/node_rendering_pool.rb

@@ -74,9 +74,10 @@ module ReactOnRailsPro
             ReactOnRailsPro::Error.raise_duplicate_bundle_upload_error if send_bundle
 
             eval_js(js_code, render_options, send_bundle: true)
-          when 400
+          when ReactOnRailsPro::STATUS_BAD_REQUEST
             raise ReactOnRailsPro::Error,
-                  "Renderer unhandled error at the VM level: #{response.status}:\n#{response.body}"
+                  "Renderer rejected malformed request or hit an unhandled VM error: " \
+                  "#{response.status}:\n#{response.body}"
           else
             raise ReactOnRailsPro::Error,
                   "Unexpected response code from renderer: #{response.status}:\n#{response.body}"

data/lib/react_on_rails_pro/stream_request.rb

@@ -140,6 +140,10 @@ module ReactOnRailsPro
         ReactOnRailsPro::Error.raise_duplicate_bundle_upload_error if send_bundle
 
         true
+      when ReactOnRailsPro::STATUS_BAD_REQUEST
+        raise ReactOnRailsPro::Error,
+              "Renderer rejected malformed request or hit an unhandled VM error: " \
+              "#{response.status}:\n#{error_body}"
       when ReactOnRailsPro::STATUS_INCOMPATIBLE
         raise ReactOnRailsPro::Error, error_body
       else

data/lib/react_on_rails_pro/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module ReactOnRailsPro
-  VERSION = "16.5.1"
+  VERSION = "16.6.0.rc.1"
   PROTOCOL_VERSION = "2.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: react_on_rails_pro
 version: !ruby/object:Gem::Version
-  version: 16.5.1
+  version: 16.6.0.rc.1
 platform: ruby
 authors:
 - Justin Gordon
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-03-28 00:00:00.000000000 Z
+date: 2026-04-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.5.1
+        version: 16.6.0.rc.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.5.1
+        version: 16.6.0.rc.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement