shakapacker 9.0.0.beta.6 → 9.0.0.beta.7

data/lib/install/template.rb

@@ -125,13 +125,60 @@ if (setup_path = Rails.root.join("bin/setup")).exist?
 end
 
 Dir.chdir(Rails.root) do
-  npm_version = Shakapacker::Utils::VersionSyntaxConverter.new.rubygem_to_npm(Shakapacker::VERSION)
-  say "Installing shakapacker@#{npm_version}"
-  begin
-    @package_json.manager.add!(["shakapacker@#{npm_version}"], type: :production)
-  rescue PackageJson::Error
-    say "Shakapacker installation failed 😭 See above for details.", :red
-    exit 1
+  # In CI, use the pre-packed tarball if available
+  if ENV["SHAKAPACKER_NPM_PACKAGE"]
+    package_path = ENV["SHAKAPACKER_NPM_PACKAGE"]
+
+    # Validate package path to prevent directory traversal and invalid file types
+    begin
+      # Resolve to absolute path
+      absolute_path = File.expand_path(package_path)
+
+      # Reject paths containing directory traversal
+      if package_path.include?("..") || absolute_path.include?("..")
+        say "❌ Security Error: Package path contains directory traversal: #{package_path}", :red
+        exit 1
+      end
+
+      # Ensure filename ends with .tgz or .tar.gz
+      unless absolute_path.end_with?(".tgz", ".tar.gz")
+        say "❌ Security Error: Package must be a .tgz or .tar.gz file: #{package_path}", :red
+        exit 1
+      end
+
+      # Check existence only after validation
+      if File.exist?(absolute_path)
+        say "📦 Installing shakapacker from local package: #{absolute_path}", :cyan
+        begin
+          @package_json.manager.add!([absolute_path], type: :production)
+        rescue PackageJson::Error
+          say "Shakapacker installation failed 😭 See above for details.", :red
+          exit 1
+        end
+      else
+        say "⚠️  SHAKAPACKER_NPM_PACKAGE set but file not found: #{absolute_path}", :yellow
+        say "Falling back to npm registry...", :yellow
+        npm_version = Shakapacker::Utils::VersionSyntaxConverter.new.rubygem_to_npm(Shakapacker::VERSION)
+        begin
+          @package_json.manager.add!(["shakapacker@#{npm_version}"], type: :production)
+        rescue PackageJson::Error
+          say "Shakapacker installation failed 😭 See above for details.", :red
+          exit 1
+        end
+      end
+    rescue => e
+      say "❌ Error validating package path: #{e.message}", :red
+      exit 1
+    end
+  else
+    npm_version = Shakapacker::Utils::VersionSyntaxConverter.new.rubygem_to_npm(Shakapacker::VERSION)
+    say "Installing shakapacker@#{npm_version}"
+    begin
+      @package_json.manager.add!(["shakapacker@#{npm_version}"], type: :production)
+    rescue PackageJson::Error
+      say "Shakapacker installation failed 😭 See above for details.", :red
+      exit 1
+    end
   end
 
   @package_json.merge! do |pj|

data/lib/shakapacker/version.rb

@@ -1,4 +1,4 @@
 module Shakapacker
   # Change the version in package.json too, please!
-  VERSION = "9.0.0.beta.6".freeze
+  VERSION = "9.0.0.beta.7".freeze
 end

data/package/.npmignore

@@ -0,0 +1,4 @@
+# Exclude TypeScript source files from the package directory
+*.ts
+# But keep the TypeScript declaration files
+!*.d.ts

data/package/config.ts

@@ -125,33 +125,46 @@ if (config.integrity?.hash_functions) {
   config.integrity.hash_functions = [...new Set(config.integrity.hash_functions)]
 }
 
-// Allow ENV variable to override assets_bundler
+// Ensure assets_bundler has a default value
+if (!config.assets_bundler) {
+  config.assets_bundler = "webpack"
+}
+
+// Allow ENV variable to override assets_bundler  
 if (process.env.SHAKAPACKER_ASSETS_BUNDLER) {
   config.assets_bundler = process.env.SHAKAPACKER_ASSETS_BUNDLER
 }
 
 // Define clear defaults
-const DEFAULT_JAVASCRIPT_TRANSPILER =
+// Keep Babel as default for webpack to maintain backward compatibility
+// Use SWC for rspack as it's a newer bundler where we can set modern defaults
+const DEFAULT_JAVASCRIPT_TRANSPILER = 
   config.assets_bundler === "rspack" ? "swc" : "babel"
 
-// Backward compatibility: Add webpack_loader property that maps to javascript_transpiler
-// Show deprecation warning if webpack_loader is used
-// Use type-safe property check
-const configWithLegacy = config as Config & { webpack_loader?: string }
-const webpackLoader = configWithLegacy.webpack_loader
+// Backward compatibility: Check for webpack_loader using proper type guard
+function hasWebpackLoader(obj: unknown): obj is Config & { webpack_loader: string } {
+  return (
+    typeof obj === 'object' &&
+    obj !== null &&
+    'webpack_loader' in obj &&
+    typeof (obj as Record<string, unknown>).webpack_loader === 'string'
+  )
+}
 
-if (webpackLoader && !config.javascript_transpiler) {
+// Allow environment variable to override javascript_transpiler
+if (process.env.SHAKAPACKER_JAVASCRIPT_TRANSPILER) {
+  config.javascript_transpiler = process.env.SHAKAPACKER_JAVASCRIPT_TRANSPILER
+} else if (hasWebpackLoader(config) && !config.javascript_transpiler) {
   console.warn(
     "[SHAKAPACKER DEPRECATION] The 'webpack_loader' configuration option is deprecated.\n" +
     "Please use 'javascript_transpiler' instead as it better reflects its purpose of configuring JavaScript transpilation regardless of the bundler used."
   )
-  config.javascript_transpiler = webpackLoader
+  config.javascript_transpiler = config.webpack_loader
 } else if (!config.javascript_transpiler) {
   config.javascript_transpiler = DEFAULT_JAVASCRIPT_TRANSPILER
 }
 
 // Ensure webpack_loader is always available for backward compatibility
-// Use property assignment instead of type assertion
 Object.defineProperty(config, 'webpack_loader', {
   value: config.javascript_transpiler,
   writable: true,

data/package/env.ts

@@ -3,14 +3,27 @@ import { readFileSync } from "fs"
 const defaultConfigPath = require("./utils/defaultConfigPath")
 const configPath = require("./utils/configPath")
 const { isFileNotFoundError } = require("./utils/errorHelpers")
+const { sanitizeEnvValue } = require("./utils/pathValidation")
 
 const NODE_ENVIRONMENTS = ["development", "production", "test"] as const
 const DEFAULT = "production"
 
-const initialRailsEnv = process.env.RAILS_ENV
-const rawNodeEnv = process.env.NODE_ENV
+// Sanitize environment variables to prevent injection
+const initialRailsEnv = sanitizeEnvValue(process.env.RAILS_ENV)
+const rawNodeEnv = sanitizeEnvValue(process.env.NODE_ENV)
+
+// Validate NODE_ENV strictly
 const nodeEnv =
   rawNodeEnv && NODE_ENVIRONMENTS.includes(rawNodeEnv as typeof NODE_ENVIRONMENTS[number]) ? rawNodeEnv : DEFAULT
+
+// Log warning if NODE_ENV was invalid
+if (rawNodeEnv && !NODE_ENVIRONMENTS.includes(rawNodeEnv as typeof NODE_ENVIRONMENTS[number])) {
+  console.warn(
+    `[SHAKAPACKER WARNING] Invalid NODE_ENV value: ${rawNodeEnv}. ` +
+    `Valid values are: ${NODE_ENVIRONMENTS.join(', ')}. Using default: ${DEFAULT}`
+  )
+}
+
 const isProduction = nodeEnv === "production"
 const isDevelopment = nodeEnv === "development"
 

data/package/environments/{development.js → development.ts}

@@ -1,17 +1,35 @@
+/**
+ * Development environment configuration for webpack and rspack bundlers
+ * @module environments/development
+ */
+
 const { merge } = require("webpack-merge")
 const config = require("../config")
 const baseConfig = require("./base")
 const webpackDevServerConfig = require("../webpackDevServerConfig")
 const { runningWebpackDevServer } = require("../env")
 const { moduleExists } = require("../utils/helpers")
+import type { 
+  WebpackConfigWithDevServer,
+  RspackConfigWithDevServer,
+  ReactRefreshWebpackPlugin,
+  ReactRefreshRspackPlugin
+} from "./types"
 
+/**
+ * Base development configuration shared between webpack and rspack
+ */
 const baseDevConfig = {
-  mode: "development",
-  devtool: "cheap-module-source-map"
+  mode: "development" as const,
+  devtool: "cheap-module-source-map" as const
 }
 
-const webpackDevConfig = () => {
-  const webpackConfig = {
+/**
+ * Generate webpack-specific development configuration
+ * @returns Webpack configuration with dev server settings
+ */
+const webpackDevConfig = (): WebpackConfigWithDevServer => {
+  const webpackConfig: WebpackConfigWithDevServer = {
     ...baseDevConfig,
     ...(runningWebpackDevServer && { devServer: webpackDevServerConfig() })
   }
@@ -33,15 +51,19 @@ const webpackDevConfig = () => {
   return webpackConfig
 }
 
-const rspackDevConfig = () => {
+/**
+ * Generate rspack-specific development configuration
+ * @returns Rspack configuration with dev server settings
+ */
+const rspackDevConfig = (): RspackConfigWithDevServer => {
   const devServerConfig = webpackDevServerConfig()
-  const rspackConfig = {
+  const rspackConfig: RspackConfigWithDevServer = {
     ...baseDevConfig,
     devServer: {
       ...devServerConfig,
       devMiddleware: {
-        ...devServerConfig.devMiddleware,
-        writeToDisk: (filePath) => !filePath.includes(".hot-update.")
+        ...(devServerConfig.devMiddleware || {}),
+        writeToDisk: (filePath: string) => !filePath.includes(".hot-update.")
       }
     }
   }

data/package/environments/{production.js → production.ts}

@@ -1,3 +1,8 @@
+/**
+ * Production environment configuration for webpack and rspack bundlers
+ * @module environments/production
+ */
+
 /* eslint global-require: 0 */
 /* eslint import/no-dynamic-require: 0 */
 
@@ -6,6 +11,8 @@ const { merge } = require("webpack-merge")
 const baseConfig = require("./base")
 const { moduleExists } = require("../utils/helpers")
 const config = require("../config")
+import type { Configuration as WebpackConfiguration, WebpackPluginInstance } from "webpack"
+import type { CompressionPluginConstructor } from "./types"
 
 const optimizationPath = resolve(
   __dirname,
@@ -15,14 +22,18 @@ const optimizationPath = resolve(
 )
 const { getOptimization } = require(optimizationPath)
 
-let CompressionPlugin = null
+let CompressionPlugin: CompressionPluginConstructor | null = null
 if (moduleExists("compression-webpack-plugin")) {
   // eslint-disable-next-line global-require
   CompressionPlugin = require("compression-webpack-plugin")
 }
 
-const getPlugins = () => {
-  const plugins = []
+/**
+ * Generate production plugins including compression
+ * @returns Array of webpack plugins for production
+ */
+const getPlugins = (): WebpackPluginInstance[] => {
+  const plugins: WebpackPluginInstance[] = []
 
   if (CompressionPlugin) {
     plugins.push(
@@ -47,7 +58,10 @@ const getPlugins = () => {
   return plugins
 }
 
-const productionConfig = {
+/**
+ * Production configuration with optimizations and compression
+ */
+const productionConfig: Partial<WebpackConfiguration> = {
   devtool: "source-map",
   stats: "normal",
   bail: true,

data/package/environments/test.ts

@@ -0,0 +1,53 @@
+/**
+ * Test environment configuration for webpack and rspack bundlers
+ * @module environments/test
+ */
+
+const { merge } = require("webpack-merge")
+const config = require("../config")
+const baseConfig = require("./base")
+import type { Configuration as WebpackConfiguration } from "webpack"
+
+interface TestConfig {
+  mode: "development" | "production" | "none"
+  devtool: string | false
+  watchOptions?: {
+    ignored: RegExp
+  }
+}
+
+/**
+ * Shared test configuration for both webpack and rspack
+ * Ensures consistent test behavior across bundlers
+ */
+const sharedTestConfig: TestConfig = {
+  mode: "development",
+  devtool: "cheap-module-source-map",
+  // Disable file watching in test mode
+  watchOptions: {
+    ignored: /node_modules/
+  }
+}
+
+/**
+ * Generate rspack-specific test configuration
+ * @returns Rspack configuration optimized for testing
+ */
+const rspackTestConfig = (): TestConfig => ({
+  ...sharedTestConfig
+  // Add any rspack-specific overrides here if needed
+})
+
+/**
+ * Generate webpack-specific test configuration
+ * @returns Webpack configuration for testing with same settings as rspack
+ */
+const webpackTestConfig = (): Partial<WebpackConfiguration> => ({
+  ...sharedTestConfig
+  // Add any webpack-specific overrides here if needed
+})
+
+const bundlerConfig =
+  config.assets_bundler === "rspack" ? rspackTestConfig() : webpackTestConfig()
+
+module.exports = merge(baseConfig, bundlerConfig)

data/package/environments/types.ts

@@ -0,0 +1,90 @@
+/**
+ * Type definitions for environment configurations
+ * These types are exported for consumer use
+ */
+
+import type { Configuration as WebpackConfiguration, WebpackPluginInstance } from "webpack"
+import type { Configuration as DevServerConfiguration } from "webpack-dev-server"
+
+/**
+ * Webpack configuration extended with dev server support
+ */
+export interface WebpackConfigWithDevServer extends WebpackConfiguration {
+  devServer?: DevServerConfiguration
+  plugins?: WebpackPluginInstance[]
+}
+
+/**
+ * Rspack plugin interface
+ * Rspack plugins follow a similar pattern to webpack but may have different internals
+ */
+export interface RspackPlugin {
+  new(...args: any[]): {
+    apply(compiler: any): void
+    [key: string]: any
+  }
+}
+
+/**
+ * Rspack dev server configuration
+ * Similar to webpack-dev-server but with some rspack-specific options
+ */
+export interface RspackDevServerConfig {
+  port?: number | string | "auto"
+  host?: string
+  hot?: boolean | "only"
+  historyApiFallback?: boolean | Record<string, unknown>
+  headers?: Record<string, string | string[]>
+  proxy?: unknown
+  static?: boolean | string | Array<string | Record<string, unknown>>
+  devMiddleware?: {
+    writeToDisk?: boolean | ((filePath: string) => boolean)
+    publicPath?: string
+    [key: string]: unknown
+  }
+  [key: string]: unknown
+}
+
+/**
+ * Rspack configuration with dev server support
+ */
+export interface RspackConfigWithDevServer {
+  mode?: "development" | "production" | "none"
+  devtool?: string | false
+  devServer?: RspackDevServerConfig
+  plugins?: RspackPlugin[]
+  module?: WebpackConfiguration["module"]
+  resolve?: WebpackConfiguration["resolve"]
+  entry?: WebpackConfiguration["entry"]
+  output?: WebpackConfiguration["output"]
+  optimization?: WebpackConfiguration["optimization"]
+  [key: string]: unknown
+}
+
+/**
+ * Compression plugin options interface
+ */
+export interface CompressionPluginOptions {
+  filename: string
+  algorithm: string | "gzip" | "brotliCompress"
+  test: RegExp
+  threshold?: number
+  minRatio?: number
+  deleteOriginalAssets?: boolean
+}
+
+/**
+ * Compression plugin constructor type
+ */
+export type CompressionPluginConstructor = new (options: CompressionPluginOptions) => WebpackPluginInstance
+
+/**
+ * React Refresh plugin types
+ */
+export interface ReactRefreshWebpackPlugin {
+  new(options?: Record<string, unknown>): WebpackPluginInstance
+}
+
+export interface ReactRefreshRspackPlugin {
+  new(options?: Record<string, unknown>): RspackPlugin
+}

data/package/types/README.md

@@ -0,0 +1,87 @@
+# Shakapacker TypeScript Types
+
+This directory exports all TypeScript types used in Shakapacker for easier consumer imports.
+
+## Usage
+
+Instead of importing types from deep paths:
+
+```typescript
+// ❌ Old way - importing from multiple deep paths
+import type { Config } from 'shakapacker/package/types'
+import type { WebpackConfigWithDevServer } from 'shakapacker/package/environments/types'
+```
+
+You can now import all types from a single location:
+
+```typescript
+// ✅ New way - single import path
+import type {
+  Config,
+  WebpackConfigWithDevServer,
+  RspackConfigWithDevServer
+} from 'shakapacker/types'
+```
+
+## Available Types
+
+### Core Configuration Types
+- `Config` - Main Shakapacker configuration interface
+- `YamlConfig` - YAML configuration structure
+- `LegacyConfig` - Legacy configuration with deprecated options
+- `Env` - Environment variables interface
+- `DevServerConfig` - Development server configuration
+
+### Loader Types
+- `ShakapackerLoader` - Loader interface
+- `ShakapackerLoaderOptions` - Loader options interface
+- `LoaderResolver` - Function type for resolving loaders
+- `LoaderConfig` - Loader configuration interface
+
+### Webpack/Rspack Types
+- `WebpackConfigWithDevServer` - Webpack config with dev server
+- `RspackConfigWithDevServer` - Rspack config with dev server
+- `RspackPlugin` - Rspack plugin interface
+- `RspackDevServerConfig` - Rspack dev server configuration
+- `CompressionPluginOptions` - Options for compression plugin
+- `CompressionPluginConstructor` - Constructor type for compression plugin
+- `ReactRefreshWebpackPlugin` - React refresh plugin for Webpack
+- `ReactRefreshRspackPlugin` - React refresh plugin for Rspack
+
+### Webpack-Specific Types
+- `ShakapackerWebpackConfig` - Extended Webpack configuration
+- `ShakapackerRule` - Extended Webpack rule
+- `LoaderType` - String or loader object type
+- `LoaderUtils` - Loader utility functions
+
+### Re-exported Types
+- `WebpackConfiguration` - From 'webpack'
+- `WebpackPluginInstance` - From 'webpack'
+- `RuleSetRule` - From 'webpack'
+- `NodeJSError` - Node.js error exception type
+
+## Example Usage
+
+```typescript
+import type {
+  Config,
+  WebpackConfigWithDevServer
+} from 'shakapacker/types'
+
+const config: Config = {
+  source_path: 'app/javascript',
+  source_entry_path: 'packs',
+  public_root_path: 'public',
+  public_output_path: 'packs',
+  // ... other config
+}
+
+const webpackConfig: WebpackConfigWithDevServer = {
+  mode: 'development',
+  devServer: {
+    hot: true,
+    port: 3035
+  }
+  // ... other webpack config
+}
+```

data/package/types/index.ts

@@ -0,0 +1,60 @@
+/**
+ * Central type exports for Shakapacker
+ * This file re-exports all public TypeScript types for easier consumer imports
+ *
+ * @example
+ * ```typescript
+ * import type { Config, WebpackConfigWithDevServer } from 'shakapacker/types'
+ * ```
+ *
+ * @module shakapacker/types
+ */
+
+// Core configuration types
+export type {
+  Config,
+  YamlConfig,
+  LegacyConfig,
+  Env,
+  DevServerConfig
+} from '../types'
+
+// Loader types
+export type {
+  ShakapackerLoader,
+  ShakapackerLoaderOptions,
+  LoaderResolver,
+  LoaderConfig
+} from '../loaders'
+
+// Webpack-specific types
+export type {
+  ShakapackerWebpackConfig,
+  ShakapackerRule,
+  ShakapackerLoaderOptions as WebpackLoaderOptions,
+  ShakapackerLoader as WebpackLoader,
+  LoaderType,
+  LoaderUtils
+} from '../webpack-types'
+
+// Environment configuration types
+export type {
+  WebpackConfigWithDevServer,
+  RspackPlugin,
+  RspackDevServerConfig,
+  RspackConfigWithDevServer,
+  CompressionPluginOptions,
+  CompressionPluginConstructor,
+  ReactRefreshWebpackPlugin,
+  ReactRefreshRspackPlugin
+} from '../environments/types'
+
+// Node.js error type (re-exported for convenience)
+export type NodeJSError = NodeJS.ErrnoException
+
+// Re-export commonly used webpack types for convenience
+export type {
+  Configuration as WebpackConfiguration,
+  WebpackPluginInstance,
+  RuleSetRule
+} from 'webpack'