shakapacker 9.6.1 → 9.7.0

data/docs/rspack.md

@@ -4,9 +4,33 @@ Shakapacker supports [Rspack](https://rspack.rs) as an alternative assets bundle
 
 **📖 For configuration options, see the [Configuration Guide](./configuration.md)**
 
+## Version Compatibility
+
+Shakapacker supports both Rspack v1 (`^1.0.0`) and Rspack v2 (`^2.0.0-0`). No configuration changes are needed when upgrading between rspack versions — shakapacker's generated config works with both.
+
+**Rspack v2 note:** Rspack v2 ships as a pure ESM package and requires **Node.js 20.19.0+**.
+
+**Rspack v1 note:** Rspack v1 itself supports older Node versions, but Shakapacker requires Node 20+.
+
+**React refresh plugin note:** `@rspack/plugin-react-refresh` currently remains on the v1 line in Shakapacker peer deps.
+
+**Current CI coverage note:** Shakapacker currently validates rspack v2 using `2.0.0-beta.6`. The rspack v2 dev dependencies are intentionally pinned while v2 is in beta and should be revisited when stable `2.0.0` is released.
+
+### Why upgrade to Rspack v2?
+
+- **Persistent cache with proper invalidation** — Rspack v2 promotes persistent caching (`cache.type: 'filesystem'`) from experimental to stable, with portable cache support (`cache.portable`) and read-only cache for CI (`cache.readonly`). This means fast rebuilds that survive process restarts and are properly invalidated when dependencies change.
+- **Incremental compilation (stable)** — The `incremental` option moves from `experiments` to a top-level config, signaling it's production-ready. Incremental builds skip unchanged work in the dependency graph.
+- **Better tree shaking** — CJS `require()` destructuring and variable property access are now tree-shaken, and Module Federation shares can be tree-shaken.
+- **Unified target configuration** — A single `target` setting now propagates defaults to SWC and LightningCSS automatically, eliminating redundant per-loader configuration.
+- **Stricter export validation** — `exportsPresence` defaults to `'error'`, catching missing or misspelled exports at build time instead of silently producing broken bundles.
+- **React Server Components** — Built-in RSC support for frameworks.
+- **Performance** — Dozens of Rust-level optimizations across every beta release (hash caching, regex fast paths, reduced allocations, rayon parallelism).
+
+See the [Rspack v2 breaking changes discussion](https://github.com/web-infra-dev/rspack/discussions/9270) for full details.
+
 ## Installation
 
-First, install the required Rspack dependencies:
+Install the required Rspack dependencies:
 
 ```bash
 npm install @rspack/core @rspack/cli -D

data/lib/shakapacker/runner.rb

@@ -296,7 +296,8 @@ module Shakapacker
           if child_pid
             Process.kill("TERM", child_pid)
           else
-            raise SignalException, "TERM" # if there is no child_pid we never spawned the process and can quit as normal
+            # Signal arrived before spawn completed; re-raise so the process exits normally.
+            raise SignalException, "TERM"
           end
         rescue Errno::ESRCH
           nil

data/lib/shakapacker/version.rb

@@ -1,4 +1,4 @@
 module Shakapacker
   # Change the version in package.json too, please!
-  VERSION = "9.6.1".freeze
+  VERSION = "9.7.0".freeze
 end

data/package/configExporter/cli.ts

@@ -712,6 +712,17 @@ async function runAllBuildsCommand(options: ExportOptions): Promise<number> {
     // Apply defaults
     const resolvedOptions = applyDefaults(options)
 
+    // Validate paths for security in all-builds mode.
+    // saveDir is always set by applyDefaults(); --output is not used in --all-builds mode.
+    safeResolvePath(appRoot, resolvedOptions.saveDir!)
+
+    // Keep in sync with validation in run()
+    if (resolvedOptions.annotate && resolvedOptions.format !== "yaml") {
+      throw new Error(
+        "Annotation requires YAML format. Use --no-annotate or --format=yaml."
+      )
+    }
+
     const loader = new ConfigFileLoader(resolvedOptions.configFile)
     if (!loader.exists()) {
       const configPath = resolvedOptions.configFile || DEFAULT_CONFIG_FILE

data/package/plugins/webpack.ts

@@ -58,9 +58,14 @@ const getPlugins = (): unknown[] => {
     config.integrity?.enabled &&
     moduleExists("webpack-subresource-integrity")
   ) {
-    const SubresourceIntegrityPlugin = requireOrError(
+    // webpack-subresource-integrity v5+ exports the plugin as a named export.
+    const subresourceIntegrityModule = requireOrError(
       "webpack-subresource-integrity"
     )
+    const SubresourceIntegrityPlugin =
+      "SubresourceIntegrityPlugin" in subresourceIntegrityModule
+        ? subresourceIntegrityModule.SubresourceIntegrityPlugin
+        : subresourceIntegrityModule
     plugins.push(
       new SubresourceIntegrityPlugin({
         hashFuncNames: config.integrity.hash_functions,

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shakapacker",
-  "version": "9.6.1",
+  "version": "9.7.0",
   "description": "Use webpack to manage app-like JavaScript modules in Rails",
   "homepage": "https://github.com/shakacode/shakapacker",
   "bugs": {
@@ -51,8 +51,8 @@
   "devDependencies": {
     "@eslint/eslintrc": "^3.2.0",
     "@eslint/js": "^9.37.0",
-    "@rspack/cli": "^1.5.8",
-    "@rspack/core": "^1.5.8",
+    "@rspack/cli": "2.0.0-beta.6",
+    "@rspack/core": "2.0.0-beta.6",
     "@swc/core": "^1.3.0",
     "@types/babel__core": "^7.20.5",
     "@types/js-yaml": "^4.0.9",
@@ -99,8 +99,8 @@
     "@babel/plugin-transform-runtime": "^7.17.0",
     "@babel/preset-env": "^7.16.11",
     "@babel/runtime": "^7.17.9",
-    "@rspack/cli": "^1.0.0",
-    "@rspack/core": "^1.0.0",
+    "@rspack/cli": "^1.0.0 || ^2.0.0-0",
+    "@rspack/core": "^1.0.0 || ^2.0.0-0",
     "@rspack/plugin-react-refresh": "^1.0.0",
     "@swc/core": "^1.3.0",
     "@types/babel__core": "^7.0.0",

data/test/package/bundlerUtils.rspack.test.js

@@ -5,6 +5,43 @@
  * then re-require bundlerUtils to exercise the rspack branches.
  */
 
+// Mock requireOrError to provide a fake @rspack/core (v2 is pure ESM, can't be require()'d by Jest)
+jest.mock("../../package/utils/requireOrError", () => {
+  const CssExtractRspackPlugin = jest.fn(function (options) {
+    this.options = options
+  })
+  CssExtractRspackPlugin.loader = "css-extract-rspack-loader"
+
+  return {
+    requireOrError: (moduleName) => {
+      if (moduleName === "@rspack/core") {
+        return {
+          DefinePlugin: jest.fn(function (definitions) {
+            this.definitions = definitions
+          }),
+          EnvironmentPlugin: jest.fn(function (env) {
+            this.env = env
+          }),
+          ProvidePlugin: jest.fn(function (definitions) {
+            this.definitions = definitions
+          }),
+          HotModuleReplacementPlugin: jest.fn(),
+          ProgressPlugin: jest.fn(),
+          CssExtractRspackPlugin,
+          SubresourceIntegrityPlugin: jest.fn(function (options) {
+            this.options = options
+          }),
+          SwcJsMinimizerRspackPlugin: jest.fn(),
+          LightningCssMinimizerRspackPlugin: jest.fn()
+        }
+      }
+      return jest
+        .requireActual("../../package/utils/requireOrError")
+        .requireOrError(moduleName)
+    }
+  }
+})
+
 let bundlerUtils
 
 describe("bundlerUtils with rspack", () => {
@@ -80,7 +117,9 @@ describe("bundlerUtils with rspack", () => {
     test("returns rspack DefinePlugin", () => {
       const DefinePlugin = bundlerUtils.getDefinePlugin()
       expect(DefinePlugin).toBeDefined()
-      expect(DefinePlugin).toBeInstanceOf(Function)
+
+      const instance = new DefinePlugin({ FOO: "bar" })
+      expect(instance.definitions).toStrictEqual({ FOO: "bar" })
     })
   })
 
@@ -88,7 +127,9 @@ describe("bundlerUtils with rspack", () => {
     test("returns rspack EnvironmentPlugin", () => {
       const EnvironmentPlugin = bundlerUtils.getEnvironmentPlugin()
       expect(EnvironmentPlugin).toBeDefined()
-      expect(EnvironmentPlugin).toBeInstanceOf(Function)
+
+      const instance = new EnvironmentPlugin(["NODE_ENV"])
+      expect(instance.env).toStrictEqual(["NODE_ENV"])
     })
   })
 
@@ -96,7 +137,9 @@ describe("bundlerUtils with rspack", () => {
     test("returns rspack ProvidePlugin", () => {
       const ProvidePlugin = bundlerUtils.getProvidePlugin()
       expect(ProvidePlugin).toBeDefined()
-      expect(ProvidePlugin).toBeInstanceOf(Function)
+
+      const instance = new ProvidePlugin({ React: "react" })
+      expect(instance.definitions).toStrictEqual({ React: "react" })
     })
   })
 })

data/test/package/configExporter.test.js

@@ -455,5 +455,37 @@ describe("configExporter", () => {
         parseArguments(["--all-builds", "--save-dir=./configs"])
       }).not.toThrow()
     })
+
+    test("run rejects --all-builds with annotate and non-yaml format", async () => {
+      const { run } = require("../../package/configExporter/cli")
+      const mockConsoleError = jest
+        .spyOn(console, "error")
+        .mockImplementation(() => {})
+
+      const result = await run(["--all-builds", "--annotate", "--format=json"])
+
+      expect(result).toBe(1)
+      expect(mockConsoleError).toHaveBeenCalledWith(
+        expect.stringContaining("Annotation requires YAML format")
+      )
+
+      mockConsoleError.mockRestore()
+    })
+
+    test("run validates --all-builds save-dir path traversal", async () => {
+      const { run } = require("../../package/configExporter/cli")
+      const mockConsoleError = jest
+        .spyOn(console, "error")
+        .mockImplementation(() => {})
+
+      const result = await run(["--all-builds", "--save-dir=../outside"])
+
+      expect(result).toBe(1)
+      expect(mockConsoleError).toHaveBeenCalledWith(
+        expect.stringContaining("[SHAKAPACKER SECURITY] Path traversal attempt")
+      )
+
+      mockConsoleError.mockRestore()
+    })
   })
 })

data/test/package/plugins/webpackSubresourceIntegrity.test.js

@@ -0,0 +1,89 @@
+const loadPluginsWithSriModule = (sriModule) => {
+  let getPlugins
+
+  jest.isolateModules(() => {
+    jest.doMock("../../../package/config", () => ({
+      manifestPath: "public/packs/manifest.json",
+      publicPathWithoutCDN: "/packs/",
+      integrity: {
+        enabled: true,
+        hash_functions: ["sha256"]
+      },
+      css_extract_ignore_order_warnings: false,
+      useContentHash: false
+    }))
+
+    jest.doMock("../../../package/env", () => ({
+      isProduction: true
+    }))
+
+    jest.doMock("../../../package/utils/helpers", () => ({
+      moduleExists: (moduleName) =>
+        moduleName === "webpack-subresource-integrity"
+    }))
+
+    jest.doMock("../../../package/utils/ensureManifestExists", () => ({
+      __esModule: true,
+      default: jest.fn()
+    }))
+
+    jest.doMock("../../../package/utils/requireOrError", () => ({
+      requireOrError: (moduleName) => {
+        if (moduleName === "webpack-assets-manifest") {
+          return function WebpackAssetsManifest() {}
+        }
+        if (moduleName === "webpack") {
+          return {
+            EnvironmentPlugin: function EnvironmentPlugin() {}
+          }
+        }
+        if (moduleName === "webpack-subresource-integrity") {
+          return sriModule
+        }
+
+        throw new Error(`Unexpected module request: ${moduleName}`)
+      }
+    }))
+    ;({ getPlugins } = require("../../../package/plugins/webpack"))
+  })
+
+  return getPlugins
+}
+
+describe("webpack plugins - webpack-subresource-integrity compatibility", () => {
+  afterEach(() => {
+    jest.clearAllMocks()
+  })
+
+  test("supports webpack-subresource-integrity v5 named export", () => {
+    const SubresourceIntegrityPlugin = jest.fn(
+      function SubresourceIntegrityPluginMock(options) {
+        this.options = options
+      }
+    )
+    const getPlugins = loadPluginsWithSriModule({ SubresourceIntegrityPlugin })
+
+    getPlugins()
+
+    expect(SubresourceIntegrityPlugin).toHaveBeenCalledWith({
+      hashFuncNames: ["sha256"],
+      enabled: true
+    })
+  })
+
+  test("supports webpack-subresource-integrity default export", () => {
+    const SubresourceIntegrityPlugin = jest.fn(
+      function SubresourceIntegrityPluginMock(options) {
+        this.options = options
+      }
+    )
+    const getPlugins = loadPluginsWithSriModule(SubresourceIntegrityPlugin)
+
+    getPlugins()
+
+    expect(SubresourceIntegrityPlugin).toHaveBeenCalledWith({
+      hashFuncNames: ["sha256"],
+      enabled: true
+    })
+  })
+})

data/test/package/rspack/index.test.js

@@ -1,4 +1,4 @@
-/* eslint-disable jest/no-conditional-in-test */
+/* eslint-disable func-names, jest/no-conditional-in-test */
 
 const { chdirTestApp } = require("../../helpers")
 
@@ -29,6 +29,48 @@ jest.mock("../../../package/utils/validateDependencies", () => ({
   validateRspackDependencies: jest.fn()
 }))
 
+// Mock requireOrError to provide a fake @rspack/core (v2 is pure ESM, can't be require()'d by Jest)
+jest.mock("../../../package/utils/requireOrError", () => ({
+  requireOrError: (moduleName) => {
+    if (moduleName === "@rspack/core") {
+      const CssExtractRspackPlugin = jest.fn(function (options) {
+        this.options = options
+      })
+      CssExtractRspackPlugin.loader = "css-extract-rspack-loader"
+
+      return {
+        DefinePlugin: jest.fn(function (definitions) {
+          this.definitions = definitions
+        }),
+        EnvironmentPlugin: jest.fn(function (env) {
+          this.env = env
+        }),
+        ProvidePlugin: jest.fn(function (definitions) {
+          this.definitions = definitions
+        }),
+        HotModuleReplacementPlugin: jest.fn(),
+        ProgressPlugin: jest.fn(),
+        CssExtractRspackPlugin,
+        SubresourceIntegrityPlugin: jest.fn(function (options) {
+          this.options = options
+        }),
+        SwcJsMinimizerRspackPlugin: jest.fn(),
+        LightningCssMinimizerRspackPlugin: jest.fn()
+      }
+    }
+    if (moduleName === "rspack-manifest-plugin") {
+      return {
+        RspackManifestPlugin: jest.fn(function (options) {
+          this.options = options
+        })
+      }
+    }
+    return jest
+      .requireActual("../../../package/utils/requireOrError")
+      .requireOrError(moduleName)
+  }
+}))
+
 describe("rspack/index", () => {
   let rspackIndex
   let validateRspackDependencies