shakapacker 9.4.0 → 9.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a0519c935e0e3d98204aeaeec6cc35b57fa13be1fe8a6f62e5e6cd5124d09c7
-  data.tar.gz: 7f6fe4134fd9b17de2dcd26b5c9e80f1f41d2019dfa0ed337092c1d23a9aa077
+  metadata.gz: 3b214b9c8a64b8d7a39fa119818f9cd85e872abf2278ca9659685ebfe73d3324
+  data.tar.gz: 06a7f954d5909f19df8cf13188b398e0b3ce2d5b4b17c6d74eca65e8573e6a30
 SHA512:
-  metadata.gz: 8789ef5d5cf102254f27c0833b3a7bd8239b5b97d2dfa97ac79fb01827931397dc71dd35f82971a61354a1751f6dafd80d91a322e51b6390f83132f17a786626
-  data.tar.gz: 3a6cff63ba261b9cec55cdd683e7cfa96a24e52b753639643bf2f6874ed49c0f50a990a771a85c4265e9e6394a8fc7e8b4e3440ed5d62982f89b98cddadf9450
+  metadata.gz: f728d9d77e03e1c8113edefdd426fd96b900eb64ce7c8e6470cd2e78f45e2f326645d58c31a95dc383809cfebef6af157cd06c145c9204d9975368212e842cb1
+  data.tar.gz: 7feac095bbf2182d7e87c21fd8f739cbf774ae1bdb8ec55dbe297e76b154f00b81cbabb3ee6f838dda9fd42b67fe718a749b4778924cf23c8f65b896e6a1b7da

data/CHANGELOG.md

@@ -11,9 +11,49 @@
 
 Changes since the last non-beta release.
 
+_None yet._
+
+## [v9.5.0] - January 7, 2026
+
+### Security
+
+- **CRITICAL: Fixed environment variable leak via EnvironmentPlugin**. [PR #857](https://github.com/shakacode/shakapacker/pull/857) by [justin808](https://github.com/justin808). The default webpack and rspack plugins were passing the entire `process.env` to `EnvironmentPlugin`, which exposed ALL build environment variables (including secrets like `DATABASE_URL`, `AWS_SECRET_ACCESS_KEY`, `RAILS_MASTER_KEY`, etc.) to client-side JavaScript bundles when code referenced `process.env.VARIABLE_NAME`. **Note**: This issue is especially critical with webpack 5.103+ due to a [serialization change](https://github.com/webpack/webpack/commit/eecdeeb746b2f996ed4ab74365dd72c95070196b) that can embed all environment variables into bundles when `import.meta.env` is accessed conditionally. This vulnerability was inherited from webpacker v1.0.0 (January 2017) and has been present in all versions of webpacker and shakapacker. **Action required**: After upgrading, rotate any secrets that may have been exposed in production JavaScript bundles.
+
 ### Added
 
-- **Added `SHAKAPACKER_SKIP_PRECOMPILE_HOOK` environment variable to skip precompile hook**. [PR #XXX](https://github.com/shakacode/shakapacker/pull/XXX) by [justin808](https://github.com/justin808). Set `SHAKAPACKER_SKIP_PRECOMPILE_HOOK=true` to skip the precompile hook during compilation. This is useful when using process managers like Foreman or Overmind to run the hook once before starting multiple webpack processes, preventing duplicate hook execution. **Migration tip:** If you have a custom `bin/dev` script that starts multiple webpack processes, you can now run the precompile hook once in the script and set this environment variable to prevent each webpack process from running the hook again. See the [precompile hook documentation](./docs/precompile_hook.md#skipping-the-hook) for implementation examples.
+- **Added `SHAKAPACKER_PUBLIC_*` prefix convention for client-side environment variables**. [PR #857](https://github.com/shakacode/shakapacker/pull/857) by [justin808](https://github.com/justin808). Any environment variable prefixed with `SHAKAPACKER_PUBLIC_` is automatically exposed to client-side JavaScript. This follows the same convention used by Next.js (`NEXT_PUBLIC_*`) and Vite (`VITE_*`), making it explicit which variables are intended for client-side use.
+
+  ```bash
+  # These are automatically available in your JavaScript
+  export SHAKAPACKER_PUBLIC_API_URL=https://api.example.com
+  export SHAKAPACKER_PUBLIC_ANALYTICS_ID=UA-12345
+  ```
+
+- **Added `SHAKAPACKER_ENV_VARS` environment variable as escape hatch for extending allowed client-side env vars**. [PR #857](https://github.com/shakacode/shakapacker/pull/857) by [justin808](https://github.com/justin808). Set `SHAKAPACKER_ENV_VARS=VAR1,VAR2,VAR3` to expose additional environment variables to client-side JavaScript beyond the default allowlist (`NODE_ENV`, `RAILS_ENV`, `WEBPACK_SERVE`). Only add non-sensitive variables that are safe to embed in public JavaScript bundles.
+
+### Changed
+
+- **BREAKING: EnvironmentPlugin now uses allowlist instead of exposing all env vars**. [PR #857](https://github.com/shakacode/shakapacker/pull/857) by [justin808](https://github.com/justin808). Only `NODE_ENV`, `RAILS_ENV`, `WEBPACK_SERVE`, and any `SHAKAPACKER_PUBLIC_*` variables are exposed by default. If your client-side code relies on other environment variables, either rename them with the `SHAKAPACKER_PUBLIC_` prefix (recommended), add them via `SHAKAPACKER_ENV_VARS`, or customize your webpack/rspack config. This is a security fix - the previous behavior was dangerous.
+
+  **Migration examples:**
+
+  ```bash
+  # Option 1 (recommended): Use the SHAKAPACKER_PUBLIC_ prefix
+  export SHAKAPACKER_PUBLIC_API_BASE_URL=https://api.example.com
+
+  # Option 2: Use SHAKAPACKER_ENV_VARS for existing variable names
+  SHAKAPACKER_ENV_VARS=API_BASE_URL bundle exec rails assets:precompile
+  ```
+
+### Fixed
+
+- **Fixed gemspec to exclude Gemfile.lock from published gem**. [PR #856](https://github.com/shakacode/shakapacker/pull/856) by [adrien-k](https://github.com/adrien-k). The gemspec's file pattern now correctly excludes `Gemfile.lock`, preventing vulnerability alerts during Docker image scans caused by outdated pinned versions in the lock file.
+
+## [v9.4.0] - November 22, 2025
+
+### Added
+
+- **Added `SHAKAPACKER_SKIP_PRECOMPILE_HOOK` environment variable to skip precompile hook**. [PR #850](https://github.com/shakacode/shakapacker/pull/850) by [justin808](https://github.com/justin808). Set `SHAKAPACKER_SKIP_PRECOMPILE_HOOK=true` to skip the precompile hook during compilation. This is useful when using process managers like Foreman or Overmind to run the hook once before starting multiple webpack processes, preventing duplicate hook execution. **Migration tip:** If you have a custom `bin/dev` script that starts multiple webpack processes, you can now run the precompile hook once in the script and set this environment variable to prevent each webpack process from running the hook again. See the [precompile hook documentation](./docs/precompile_hook.md#skipping-the-hook) for implementation examples.
 
 ## [v9.3.4-beta.0] - November 17, 2025
 
@@ -216,6 +256,7 @@ See the [v9 Upgrade Guide](https://github.com/shakacode/shakapacker/blob/main/do
 ### ⚠️ Breaking Changes
 
 1. **SWC is now the default JavaScript transpiler instead of Babel** ([PR 603](https://github.com/shakacode/shakapacker/pull/603) by [justin808](https://github.com/justin808))
+
    - Babel dependencies are no longer included as peer dependencies
    - Improves compilation speed by 20x
    - **Migration for existing projects:**
@@ -232,6 +273,7 @@ See the [v9 Upgrade Guide](https://github.com/shakacode/shakapacker/blob/main/do
        ```
 
 2. **CSS Modules now use named exports by default** ([PR 599](https://github.com/shakacode/shakapacker/pull/599))
+
    - **JavaScript:** Use named imports: `import { className } from './styles.module.css'`
    - **TypeScript:** Use namespace imports: `import * as styles from './styles.module.css'`
    - To keep the old behavior with default imports, see [CSS Modules Export Mode documentation](./docs/css-modules-export-mode.md) for configuration instructions
@@ -497,6 +539,7 @@ See the [v8 Upgrade Guide](https://github.com/shakacode/shakapacker/blob/main/do
 
 - Set `source_entry_path` to `packs` and `nested_entries` to `true` in`shakapacker.yml` [PR 284](https://github.com/shakacode/shakapacker/pull/284) by [ahangarha](https://github.com/ahangarha).
 - Dev server configuration is modified to follow [webpack recommended configurations](https://webpack.js.org/configuration/dev-server/) for dev server. [PR276](https://github.com/shakacode/shakapacker/pull/276) by [ahangarha](https://github.com/ahangarha):
+
   - Deprecated `https` entry is removed from the default configuration file, allowing to set `server` or `https` as per the project requirements. For more detail, check webpack documentation. The `https` entry can be effective only if there is no `server` entry in the config file.
   - `allowed_hosts` is now set to `auto` instead of `all` by default.
 
@@ -763,7 +806,9 @@ Note: [Rubygem is 6.3.0.pre.rc.1](https://rubygems.org/gems/shakapacker/versions
 
 See [CHANGELOG.md in rails/webpacker (up to v5.4.3)](https://github.com/rails/webpacker/blob/master/CHANGELOG.md)
 
-[Unreleased]: https://github.com/shakacode/shakapacker/compare/v9.3.4-beta.0...main
+[Unreleased]: https://github.com/shakacode/shakapacker/compare/v9.5.0...main
+[v9.5.0]: https://github.com/shakacode/shakapacker/compare/v9.4.0...v9.5.0
+[v9.4.0]: https://github.com/shakacode/shakapacker/compare/v9.3.4...v9.4.0
 [v9.3.4-beta.0]: https://github.com/shakacode/shakapacker/compare/v9.3.3...v9.3.4-beta.0
 [v9.3.3]: https://github.com/shakacode/shakapacker/compare/v9.3.2...v9.3.3
 [v9.3.2]: https://github.com/shakacode/shakapacker/compare/v9.3.1...v9.3.2

data/CLAUDE.md

@@ -12,6 +12,10 @@
 - Run corresponding RSpec tests when changing source files
 - For example, when changing `lib/shakapacker/foo.rb`, run `spec/shakapacker/foo_spec.rb`
 - Run the full test suite with `bundle exec rspec` before pushing
+- **Use explicit RSpec spy assertions** - prefer `have_received`/`not_to have_received` over indirect counter patterns
+  - Good: `expect(Open3).to have_received(:capture3).with(anything, hook_command, anything)`
+  - Good: `expect(Open3).not_to have_received(:capture3).with(anything, hook_command, anything)`
+  - Avoid: `call_count += 1` followed by `expect(call_count).to eq(1)`
 
 ## Code Style
 

data/bin/shakapacker-config

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+
+// Minimal shim - all logic is in the TypeScript module
+const { run } = require("shakapacker/configExporter")
+
+run(process.argv.slice(2))
+  .then((exitCode) => process.exit(exitCode))
+  .catch((error) => {
+    console.error(error.message)
+    process.exit(1)
+  })

data/docs/configuration.md

@@ -617,14 +617,57 @@ Shakapacker validates configuration at runtime and provides helpful error messag
 
 Some options can be overridden via environment variables:
 
-| Variable                     | Description              | Example                   |
-| ---------------------------- | ------------------------ | ------------------------- |
-| `SHAKAPACKER_CONFIG`         | Path to shakapacker.yml  | `config/webpack.yml`      |
-| `SHAKAPACKER_ASSETS_BUNDLER` | Override assets bundler  | `rspack`                  |
-| `SHAKAPACKER_PRECOMPILE`     | Override precompile flag | `false`                   |
-| `SHAKAPACKER_ASSET_HOST`     | Override asset host      | `https://cdn.example.com` |
-| `NODE_ENV`                   | Node environment         | `production`              |
-| `RAILS_ENV`                  | Rails environment        | `staging`                 |
+| Variable                     | Description                                        | Example                      |
+| ---------------------------- | -------------------------------------------------- | ---------------------------- |
+| `SHAKAPACKER_CONFIG`         | Path to shakapacker.yml                            | `config/webpack.yml`         |
+| `SHAKAPACKER_ASSETS_BUNDLER` | Override assets bundler                            | `rspack`                     |
+| `SHAKAPACKER_PRECOMPILE`     | Override precompile flag                           | `false`                      |
+| `SHAKAPACKER_ASSET_HOST`     | Override asset host                                | `https://cdn.example.com`    |
+| `SHAKAPACKER_PUBLIC_*`       | Auto-exposed to client-side JS (prefix convention) | `SHAKAPACKER_PUBLIC_API_URL` |
+| `SHAKAPACKER_ENV_VARS`       | Additional env vars to expose to client-side JS    | `API_URL,FEATURE_FLAGS`      |
+| `NODE_ENV`                   | Node environment                                   | `production`                 |
+| `RAILS_ENV`                  | Rails environment                                  | `staging`                    |
+
+### Exposing Environment Variables to Client-Side JavaScript
+
+By default, only `NODE_ENV`, `RAILS_ENV`, and `WEBPACK_SERVE` are exposed to client-side JavaScript via webpack/rspack's `EnvironmentPlugin`. This is a security measure to prevent accidentally leaking secrets like `DATABASE_URL`, `API_SECRET_KEY`, etc. into your JavaScript bundles.
+
+#### SHAKAPACKER*PUBLIC*\* Prefix (Recommended)
+
+Any environment variable prefixed with `SHAKAPACKER_PUBLIC_` is automatically exposed to client-side code. This follows the same convention used by Next.js (`NEXT_PUBLIC_*`) and Vite (`VITE_*`):
+
+```bash
+# These are automatically available in your JavaScript
+export SHAKAPACKER_PUBLIC_API_URL=https://api.example.com
+export SHAKAPACKER_PUBLIC_ANALYTICS_ID=UA-12345
+export SHAKAPACKER_PUBLIC_FEATURE_FLAGS=dark_mode,beta_ui
+```
+
+```javascript
+// Access in your JavaScript code
+console.log(process.env.SHAKAPACKER_PUBLIC_API_URL)
+console.log(process.env.SHAKAPACKER_PUBLIC_ANALYTICS_ID)
+```
+
+The prefix makes it explicit which variables are intended for client-side use, preventing accidental exposure of secrets.
+
+#### SHAKAPACKER_ENV_VARS (Legacy/Escape Hatch)
+
+For variables without the `SHAKAPACKER_PUBLIC_` prefix, you can use `SHAKAPACKER_ENV_VARS` to expose them:
+
+```bash
+# Expose additional variables during build
+SHAKAPACKER_ENV_VARS=API_BASE_URL,FEATURE_FLAGS bundle exec rake assets:precompile
+
+# In development
+SHAKAPACKER_ENV_VARS=API_BASE_URL bin/shakapacker-dev-server
+```
+
+```javascript
+// These are available after adding to SHAKAPACKER_ENV_VARS
+console.log(process.env.API_BASE_URL)
+console.log(process.env.FEATURE_FLAGS)
+```
 
 ## Best Practices
 

data/docs/precompile_hook.md

@@ -300,7 +300,7 @@ This is useful when:
 - Running the hook manually and then compiling multiple times
 - Debugging compilation issues without the hook
 
-**Note:** The examples below show how to implement this in your custom `bin/dev` script. If you're using React on Rails, the generated `bin/dev` script already implements this pattern automatically - it runs the precompile hook once before launching processes, then sets `SHAKAPACKER_SKIP_PRECOMPILE_HOOK=true` to prevent duplicate execution.
+**Note:** The examples below show how to implement this in your custom `bin/dev` script. If you're using React on Rails v13.1.0+, the generated `bin/dev` script already implements this pattern automatically - **no action needed**. It runs the precompile hook once before launching processes, then sets `SHAKAPACKER_SKIP_PRECOMPILE_HOOK=true` to prevent duplicate execution.
 
 **Recommended: Use Procfile env prefix**
 

data/lib/shakapacker/version.rb

@@ -1,4 +1,4 @@
 module Shakapacker
   # Change the version in package.json too, please!
-  VERSION = "9.4.0".freeze
+  VERSION = "9.5.0".freeze
 end

data/package/plugins/envFilter.ts

@@ -0,0 +1,82 @@
+/**
+ * Shared environment variable filtering logic for webpack and rspack plugins.
+ *
+ * SECURITY: This module ensures only allowlisted environment variables are
+ * exposed to client-side JavaScript bundles, preventing accidental leakage
+ * of secrets like DATABASE_URL, API keys, etc.
+ */
+
+/**
+ * Allowlist of environment variables that are safe to expose to client-side JavaScript.
+ *
+ * SECURITY: Never add sensitive variables like DATABASE_URL, API keys, or secrets.
+ * These values are embedded directly into the JavaScript bundle and are publicly visible.
+ *
+ * Users can extend this list via:
+ * 1. SHAKAPACKER_PUBLIC_* prefix (auto-exposed, similar to Next.js/Vite conventions)
+ * 2. SHAKAPACKER_ENV_VARS environment variable (comma-separated list)
+ * 3. Customizing their webpack/rspack config
+ */
+export const DEFAULT_ALLOWED_ENV_VARS = [
+  "NODE_ENV",
+  "RAILS_ENV",
+  "WEBPACK_SERVE"
+] as const
+
+/**
+ * Prefix for environment variables that are automatically exposed to client-side code.
+ * Similar to Next.js's NEXT_PUBLIC_ and Vite's VITE_ prefixes.
+ *
+ * Example: SHAKAPACKER_PUBLIC_API_URL will be available as process.env.SHAKAPACKER_PUBLIC_API_URL
+ */
+export const PUBLIC_ENV_PREFIX = "SHAKAPACKER_PUBLIC_"
+
+/**
+ * Gets the list of environment variables to expose to client-side code.
+ * Combines:
+ * 1. Default allowed vars (NODE_ENV, RAILS_ENV, WEBPACK_SERVE)
+ * 2. Any vars with SHAKAPACKER_PUBLIC_ prefix (auto-exposed)
+ * 3. Any user-specified vars from SHAKAPACKER_ENV_VARS
+ */
+export const getAllowedEnvVars = (): string[] => {
+  const allowed: string[] = [...DEFAULT_ALLOWED_ENV_VARS]
+
+  // Auto-expose any SHAKAPACKER_PUBLIC_* variables (similar to Next.js/Vite convention)
+  Object.keys(process.env).forEach((key) => {
+    if (key.startsWith(PUBLIC_ENV_PREFIX)) {
+      allowed.push(key)
+    }
+  })
+
+  // Allow users to specify additional env vars via SHAKAPACKER_ENV_VARS
+  const userVars = process.env.SHAKAPACKER_ENV_VARS
+  if (userVars) {
+    const additionalVars = userVars
+      .split(",")
+      .map((v) => v.trim())
+      .filter(Boolean)
+
+    allowed.push(...additionalVars)
+  }
+
+  // Remove duplicates (can occur if same var is in multiple sources)
+  return [...new Set(allowed)]
+}
+
+/**
+ * Builds a filtered environment object containing only allowed variables.
+ * Returns an object with variable names as keys and their values.
+ * Uses null as default for missing variables (webpack/rspack treat null as optional).
+ */
+export const getFilteredEnv = (): Record<string, string | null> => {
+  const allowedVars = getAllowedEnvVars()
+  const filtered: Record<string, string | null> = {}
+
+  for (const varName of allowedVars) {
+    // Use null as default for missing vars - webpack/rspack treat null as optional
+    // (undefined would cause them to throw if the var is used but not set)
+    filtered[varName] = process.env[varName] ?? null
+  }
+
+  return filtered
+}

data/package/plugins/rspack.ts

@@ -1,4 +1,5 @@
 import type { Config } from "../types"
+import { getFilteredEnv } from "./envFilter"
 
 const { requireOrError } = require("../utils/requireOrError")
 
@@ -29,7 +30,9 @@ interface Manifest {
 
 const getPlugins = (): unknown[] => {
   const plugins = [
-    new rspack.EnvironmentPlugin(process.env),
+    // SECURITY: Only expose allowlisted environment variables to prevent secrets leaking
+    // into client-side bundles. See envFilter.ts for the allowlist configuration.
+    new rspack.EnvironmentPlugin(getFilteredEnv()),
     new RspackManifestPlugin({
       fileName: config.manifestPath.split("/").pop(), // Get just the filename
       publicPath: config.publicPathWithoutCDN,

data/package/plugins/webpack.ts

@@ -1,4 +1,5 @@
 import type { Config } from "../types"
+import { getFilteredEnv } from "./envFilter"
 
 const { requireOrError } = require("../utils/requireOrError")
 // TODO: Change to `const { WebpackAssetsManifest }` when dropping 'webpack-assets-manifest < 6.0.0' (Node >=20.10.0) support
@@ -15,7 +16,9 @@ const getPlugins = (): unknown[] => {
       ? WebpackAssetsManifest.WebpackAssetsManifest
       : WebpackAssetsManifest
   const plugins = [
-    new webpack.EnvironmentPlugin(process.env),
+    // SECURITY: Only expose allowlisted environment variables to prevent secrets leaking
+    // into client-side bundles. See envFilter.ts for the allowlist configuration.
+    new webpack.EnvironmentPlugin(getFilteredEnv()),
     new WebpackAssetsManifestConstructor({
       merge: true,
       entrypoints: true,

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shakapacker",
-  "version": "9.4.0",
+  "version": "9.5.0",
   "description": "Use webpack to manage app-like JavaScript modules in Rails",
   "homepage": "https://github.com/shakacode/shakapacker",
   "bugs": {

data/shakapacker.gemspec

@@ -29,7 +29,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency "rubocop-performance"
 
   s.files = `git ls-files -z`.split("\x0").reject { |f|
-    f.match(%r{^(test|spec|features|tmp|node_modules|packages|coverage|Gemfile.lock|rakelib)/})
+    f.match(%r{^(test|spec|features|tmp|node_modules|packages|coverage|Gemfile.lock|rakelib)($|/)})
   } + Dir.glob("sig/**/*.rbs")
 
   s.test_files = `git ls-files -- test/*`.split("\n")

data/sig/shakapacker/compiler.rbs

@@ -52,6 +52,7 @@ class Shakapacker::Compiler
 
   def bin_shakapacker_path: () -> Pathname
 
+  # Returns true if precompile hook should run, false if disabled or skipped via ENV
   def should_run_precompile_hook?: () -> bool
 
   def run_precompile_hook: () -> void

data/test/package/plugins/envFiltering.test.js

@@ -0,0 +1,453 @@
+/**
+ * Security tests for environment variable filtering in EnvironmentPlugin.
+ *
+ * These tests verify that only allowlisted environment variables are exposed
+ * to client-side JavaScript bundles, preventing accidental leakage of secrets.
+ *
+ * CVE: Environment variables leak via EnvironmentPlugin(process.env)
+ * See: https://github.com/shakacode/shakapacker/security/advisories
+ */
+
+const fs = require("fs")
+const path = require("path")
+
+const pluginsDir = path.resolve(__dirname, "../../../package/plugins")
+
+describe("environment variable filtering security", () => {
+  const originalEnv = { ...process.env }
+
+  beforeEach(() => {
+    // Set up test environment with sensitive variables
+    process.env.NODE_ENV = "production"
+    process.env.RAILS_ENV = "production"
+    process.env.WEBPACK_SERVE = "false"
+
+    // Simulate sensitive build environment variables
+    process.env.DATABASE_URL = "postgres://user:password@host/db"
+    process.env.AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE"
+    process.env.AWS_SECRET_ACCESS_KEY =
+      "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    process.env.RAILS_MASTER_KEY = "abc123secretmasterkey456"
+    process.env.STRIPE_SECRET_KEY = "sk_live_secretkey123"
+    process.env.SESSION_SECRET = "supersecrettoken"
+
+    // Clear any cached modules
+    jest.resetModules()
+  })
+
+  afterEach(() => {
+    // Restore original environment
+    Object.keys(process.env).forEach((key) => {
+      if (!(key in originalEnv)) {
+        delete process.env[key]
+      }
+    })
+    Object.assign(process.env, originalEnv)
+    delete process.env.SHAKAPACKER_ENV_VARS
+  })
+
+  describe("shared envFilter module", () => {
+    it("exists and exports the filtering functions", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      // Verify exports
+      expect(envFilterSource).toContain("export const DEFAULT_ALLOWED_ENV_VARS")
+      expect(envFilterSource).toContain("export const getAllowedEnvVars")
+      expect(envFilterSource).toContain("export const getFilteredEnv")
+    })
+
+    it("has the default allowlist with only safe variables", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      // Extract the DEFAULT_ALLOWED_ENV_VARS array from source
+      const allowlistMatch = envFilterSource.match(
+        /DEFAULT_ALLOWED_ENV_VARS\s*=\s*\[([\s\S]*?)\]\s*as const/
+      )
+      expect(allowlistMatch).toBeTruthy()
+
+      const allowlistContent = allowlistMatch[1]
+
+      // These patterns should NEVER appear in the allowlist
+      const sensitivePatterns = [
+        "DATABASE",
+        "SECRET",
+        "PASSWORD",
+        "CREDENTIAL",
+        "AWS_",
+        "STRIPE",
+        "MASTER"
+      ]
+
+      sensitivePatterns.forEach((pattern) => {
+        expect(allowlistContent.toUpperCase()).not.toContain(pattern)
+      })
+
+      // Verify expected safe vars are present
+      expect(allowlistContent).toContain("NODE_ENV")
+      expect(allowlistContent).toContain("RAILS_ENV")
+      expect(allowlistContent).toContain("WEBPACK_SERVE")
+    })
+
+    it("includes SHAKAPACKER_ENV_VARS extension support", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      expect(envFilterSource).toContain("SHAKAPACKER_ENV_VARS")
+      expect(envFilterSource).toContain('split(",")')
+    })
+
+    it("exports PUBLIC_ENV_PREFIX constant", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      expect(envFilterSource).toContain("export const PUBLIC_ENV_PREFIX")
+      expect(envFilterSource).toContain('SHAKAPACKER_PUBLIC_"')
+    })
+
+    it("auto-exposes SHAKAPACKER_PUBLIC_* variables", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      // Verify the prefix check is present
+      expect(envFilterSource).toContain("startsWith(PUBLIC_ENV_PREFIX)")
+      expect(envFilterSource).toContain("Object.keys(process.env)")
+    })
+
+    it("uses SHAKAPACKER_PUBLIC_ prefix (with trailing underscore) to prevent system var exposure", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      // SECURITY: The prefix MUST include the trailing underscore to ensure
+      // Shakapacker system variables like SHAKAPACKER_CONFIG, SHAKAPACKER_ENV_VARS,
+      // SHAKAPACKER_PRECOMPILE, etc. are NOT accidentally exposed.
+      // Only SHAKAPACKER_PUBLIC_* variables should be auto-exposed.
+      const prefixMatch = envFilterSource.match(
+        /PUBLIC_ENV_PREFIX\s*=\s*["']([^"']+)["']/
+      )
+      expect(prefixMatch).toBeTruthy()
+      expect(prefixMatch[1]).toBe("SHAKAPACKER_PUBLIC_")
+
+      // Verify the trailing underscore is present - this is critical for security
+      expect(prefixMatch[1]).toMatch(/_$/)
+    })
+
+    it("handles whitespace and empty values in CSV", () => {
+      const envFilterSource = fs.readFileSync(
+        path.join(pluginsDir, "envFilter.ts"),
+        "utf8"
+      )
+
+      // Verify trim() is called on each value
+      expect(envFilterSource).toMatch(/\.map\(\s*\(?v\)?\s*=>\s*v\.trim\(\)/)
+      // Verify filter(Boolean) is called to remove empty strings
+      expect(envFilterSource).toMatch(/\.filter\(Boolean\)/)
+    })
+  })
+
+  describe("webpack plugin", () => {
+    it("imports from shared envFilter module", () => {
+      const webpackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "webpack.ts"),
+        "utf8"
+      )
+
+      expect(webpackPluginSource).toContain(
+        'import { getFilteredEnv } from "./envFilter"'
+      )
+    })
+
+    it("uses getFilteredEnv() not process.env", () => {
+      const webpackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "webpack.ts"),
+        "utf8"
+      )
+
+      // SECURITY: Verify the dangerous pattern is NOT present
+      expect(webpackPluginSource).not.toMatch(
+        /new webpack\.EnvironmentPlugin\(process\.env\)/
+      )
+
+      // Verify the safe pattern IS present
+      expect(webpackPluginSource).toMatch(/getFilteredEnv\(\)/)
+    })
+
+    it("does not duplicate the filtering logic", () => {
+      const webpackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "webpack.ts"),
+        "utf8"
+      )
+
+      // Should NOT have its own copy of these
+      expect(webpackPluginSource).not.toContain("DEFAULT_ALLOWED_ENV_VARS")
+      expect(webpackPluginSource).not.toContain("PUBLIC_ENV_PREFIX")
+      expect(webpackPluginSource).not.toContain("getAllowedEnvVars")
+    })
+  })
+
+  describe("rspack plugin", () => {
+    it("imports from shared envFilter module", () => {
+      const rspackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "rspack.ts"),
+        "utf8"
+      )
+
+      expect(rspackPluginSource).toContain(
+        'import { getFilteredEnv } from "./envFilter"'
+      )
+    })
+
+    it("uses getFilteredEnv() not process.env", () => {
+      const rspackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "rspack.ts"),
+        "utf8"
+      )
+
+      // SECURITY: Verify the dangerous pattern is NOT present
+      expect(rspackPluginSource).not.toMatch(
+        /new rspack\.EnvironmentPlugin\(process\.env\)/
+      )
+
+      // Verify the safe pattern IS present
+      expect(rspackPluginSource).toMatch(/getFilteredEnv\(\)/)
+    })
+
+    it("does not duplicate the filtering logic", () => {
+      const rspackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "rspack.ts"),
+        "utf8"
+      )
+
+      // Should NOT have its own copy of these
+      expect(rspackPluginSource).not.toContain("DEFAULT_ALLOWED_ENV_VARS")
+      expect(rspackPluginSource).not.toContain("PUBLIC_ENV_PREFIX")
+      expect(rspackPluginSource).not.toContain("getAllowedEnvVars")
+    })
+  })
+
+  describe("consistency", () => {
+    it("both plugins use the same shared module", () => {
+      const webpackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "webpack.ts"),
+        "utf8"
+      )
+      const rspackPluginSource = fs.readFileSync(
+        path.join(pluginsDir, "rspack.ts"),
+        "utf8"
+      )
+
+      // Both should import from the same source
+      const webpackImport = webpackPluginSource.match(
+        /import\s*{[^}]*getFilteredEnv[^}]*}\s*from\s*["']([^"']+)["']/
+      )
+      const rspackImport = rspackPluginSource.match(
+        /import\s*{[^}]*getFilteredEnv[^}]*}\s*from\s*["']([^"']+)["']/
+      )
+
+      expect(webpackImport).toBeTruthy()
+      expect(rspackImport).toBeTruthy()
+      expect(webpackImport[1]).toBe(rspackImport[1])
+    })
+  })
+
+  /**
+   * Runtime behavioral tests that actually call the filtering functions.
+   * These complement the static source analysis tests above.
+   */
+  describe("runtime behavior", () => {
+    // Helper to get fresh module instance (avoiding caching issues)
+    const getEnvFilter = () => {
+      jest.resetModules()
+      return require("../../../package/plugins/envFilter")
+    }
+
+    describe("getAllowedEnvVars", () => {
+      it("returns default allowed vars when SHAKAPACKER_ENV_VARS is unset", () => {
+        delete process.env.SHAKAPACKER_ENV_VARS
+        // Remove any SHAKAPACKER_PUBLIC_* vars from test setup
+        const publicVars = Object.keys(process.env).filter((key) =>
+          key.startsWith("SHAKAPACKER_PUBLIC_")
+        )
+        publicVars.forEach((key) => {
+          delete process.env[key]
+        })
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        expect(allowed).toContain("NODE_ENV")
+        expect(allowed).toContain("RAILS_ENV")
+        expect(allowed).toContain("WEBPACK_SERVE")
+        expect(allowed).toHaveLength(3)
+      })
+
+      it("includes SHAKAPACKER_PUBLIC_* variables when present", () => {
+        delete process.env.SHAKAPACKER_ENV_VARS
+        process.env.SHAKAPACKER_PUBLIC_API_URL = "https://api.example.com"
+        process.env.SHAKAPACKER_PUBLIC_ANALYTICS_ID = "UA-12345"
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        expect(allowed).toContain("NODE_ENV")
+        expect(allowed).toContain("RAILS_ENV")
+        expect(allowed).toContain("WEBPACK_SERVE")
+        expect(allowed).toContain("SHAKAPACKER_PUBLIC_API_URL")
+        expect(allowed).toContain("SHAKAPACKER_PUBLIC_ANALYTICS_ID")
+
+        // Cleanup
+        delete process.env.SHAKAPACKER_PUBLIC_API_URL
+        delete process.env.SHAKAPACKER_PUBLIC_ANALYTICS_ID
+      })
+
+      it("does NOT include SHAKAPACKER_* system variables (without PUBLIC_)", () => {
+        process.env.SHAKAPACKER_CONFIG = "/custom/path"
+        process.env.SHAKAPACKER_PRECOMPILE = "true"
+        delete process.env.SHAKAPACKER_ENV_VARS
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        expect(allowed).not.toContain("SHAKAPACKER_CONFIG")
+        expect(allowed).not.toContain("SHAKAPACKER_PRECOMPILE")
+
+        // Cleanup
+        delete process.env.SHAKAPACKER_CONFIG
+        delete process.env.SHAKAPACKER_PRECOMPILE
+      })
+
+      it("parses SHAKAPACKER_ENV_VARS CSV and includes those variables", () => {
+        process.env.SHAKAPACKER_ENV_VARS = "CUSTOM_VAR1,CUSTOM_VAR2,ANOTHER_VAR"
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        expect(allowed).toContain("CUSTOM_VAR1")
+        expect(allowed).toContain("CUSTOM_VAR2")
+        expect(allowed).toContain("ANOTHER_VAR")
+      })
+
+      it("handles whitespace in SHAKAPACKER_ENV_VARS CSV", () => {
+        process.env.SHAKAPACKER_ENV_VARS = " VAR1 , VAR2 ,  VAR3  "
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        expect(allowed).toContain("VAR1")
+        expect(allowed).toContain("VAR2")
+        expect(allowed).toContain("VAR3")
+      })
+
+      it("ignores empty entries in SHAKAPACKER_ENV_VARS CSV", () => {
+        process.env.SHAKAPACKER_ENV_VARS = "VAR1,,VAR2,,,VAR3,"
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        expect(allowed).toContain("VAR1")
+        expect(allowed).toContain("VAR2")
+        expect(allowed).toContain("VAR3")
+        // Should not contain empty strings
+        expect(allowed.filter((v) => v === "")).toHaveLength(0)
+      })
+
+      it("deduplicates variables from multiple sources", () => {
+        process.env.SHAKAPACKER_ENV_VARS = "NODE_ENV,CUSTOM_VAR"
+
+        const { getAllowedEnvVars } = getEnvFilter()
+        const allowed = getAllowedEnvVars()
+
+        // NODE_ENV should only appear once (from defaults, not duplicated from CSV)
+        const nodeEnvCount = allowed.filter((v) => v === "NODE_ENV").length
+        expect(nodeEnvCount).toBe(1)
+      })
+    })
+
+    describe("getFilteredEnv", () => {
+      it("exposes allowed variables with their values", () => {
+        delete process.env.SHAKAPACKER_ENV_VARS
+        process.env.NODE_ENV = "production"
+        process.env.RAILS_ENV = "staging"
+
+        const { getFilteredEnv } = getEnvFilter()
+        const filtered = getFilteredEnv()
+
+        expect(filtered).toHaveProperty("NODE_ENV", "production")
+        expect(filtered).toHaveProperty("RAILS_ENV", "staging")
+      })
+
+      it("omits sensitive variables that are not in allowlist", () => {
+        delete process.env.SHAKAPACKER_ENV_VARS
+        // Sensitive vars are set in beforeEach
+
+        const { getFilteredEnv } = getEnvFilter()
+        const filtered = getFilteredEnv()
+
+        // SECURITY: These must NOT be present
+        expect(filtered).not.toHaveProperty("DATABASE_URL")
+        expect(filtered).not.toHaveProperty("AWS_ACCESS_KEY_ID")
+        expect(filtered).not.toHaveProperty("AWS_SECRET_ACCESS_KEY")
+        expect(filtered).not.toHaveProperty("RAILS_MASTER_KEY")
+        expect(filtered).not.toHaveProperty("STRIPE_SECRET_KEY")
+        expect(filtered).not.toHaveProperty("SESSION_SECRET")
+      })
+
+      it("exposes SHAKAPACKER_PUBLIC_* variables with their values", () => {
+        delete process.env.SHAKAPACKER_ENV_VARS
+        process.env.SHAKAPACKER_PUBLIC_API_URL = "https://api.example.com"
+
+        const { getFilteredEnv } = getEnvFilter()
+        const filtered = getFilteredEnv()
+
+        expect(filtered).toHaveProperty(
+          "SHAKAPACKER_PUBLIC_API_URL",
+          "https://api.example.com"
+        )
+
+        // Cleanup
+        delete process.env.SHAKAPACKER_PUBLIC_API_URL
+      })
+
+      it("uses null for missing variables from SHAKAPACKER_ENV_VARS", () => {
+        process.env.SHAKAPACKER_ENV_VARS = "MISSING_VAR,ANOTHER_MISSING"
+        delete process.env.MISSING_VAR
+        delete process.env.ANOTHER_MISSING
+
+        const { getFilteredEnv } = getEnvFilter()
+        const filtered = getFilteredEnv()
+
+        expect(filtered).toHaveProperty("MISSING_VAR", null)
+        expect(filtered).toHaveProperty("ANOTHER_MISSING", null)
+      })
+
+      it("includes variables from SHAKAPACKER_ENV_VARS with their values", () => {
+        process.env.SHAKAPACKER_ENV_VARS = "CUSTOM_API_URL"
+        process.env.CUSTOM_API_URL = "https://custom.example.com"
+
+        const { getFilteredEnv } = getEnvFilter()
+        const filtered = getFilteredEnv()
+
+        expect(filtered).toHaveProperty(
+          "CUSTOM_API_URL",
+          "https://custom.example.com"
+        )
+
+        // Cleanup
+        delete process.env.CUSTOM_API_URL
+      })
+    })
+  })
+})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakapacker
 version: !ruby/object:Gem::Version
-  version: 9.4.0
+  version: 9.5.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -174,7 +174,6 @@ files:
 - ESLINT_TECHNICAL_DEBT.md
 - Gemfile
 - Gemfile.development_dependencies
-- Gemfile.lock
 - MIT-LICENSE
 - README.md
 - Rakefile
@@ -182,6 +181,7 @@ files:
 - TODO_v9.md
 - __mocks__/nonexistent/package.json
 - __mocks__/sass-loader/package.json
+- bin/shakapacker-config
 - conductor-setup.sh
 - conductor.json
 - config/README.md
@@ -314,6 +314,7 @@ files:
 - package/loaders.d.ts
 - package/optimization/rspack.ts
 - package/optimization/webpack.ts
+- package/plugins/envFilter.ts
 - package/plugins/rspack.ts
 - package/plugins/webpack.ts
 - package/rspack/index.ts
@@ -381,6 +382,7 @@ files:
 - test/package/environments/production.test.js
 - test/package/helpers.test.js
 - test/package/index.test.js
+- test/package/plugins/envFiltering.test.js
 - test/package/production.test.js
 - test/package/rules/babel.test.js
 - test/package/rules/esbuild.test.js
@@ -413,7 +415,7 @@ homepage: https://github.com/shakacode/shakapacker
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/shakacode/shakapacker/tree/v9.4.0
+  source_code_uri: https://github.com/shakacode/shakapacker/tree/v9.5.0
 rdoc_options: []
 require_paths:
 - lib
@@ -448,6 +450,7 @@ test_files:
 - test/package/environments/production.test.js
 - test/package/helpers.test.js
 - test/package/index.test.js
+- test/package/plugins/envFiltering.test.js
 - test/package/production.test.js
 - test/package/rules/babel.test.js
 - test/package/rules/esbuild.test.js

data/Gemfile.lock

@@ -1,254 +0,0 @@
-PATH
-  remote: .
-  specs:
-    shakapacker (9.4.0)
-      activesupport (>= 5.2)
-      package_json
-      rack-proxy (>= 0.6.1)
-      railties (>= 5.2)
-      semantic_range (>= 2.3.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actioncable (7.2.1)
-      actionpack (= 7.2.1)
-      activesupport (= 7.2.1)
-      nio4r (~> 2.0)
-      websocket-driver (>= 0.6.1)
-      zeitwerk (~> 2.6)
-    actionmailbox (7.2.1)
-      actionpack (= 7.2.1)
-      activejob (= 7.2.1)
-      activerecord (= 7.2.1)
-      activestorage (= 7.2.1)
-      activesupport (= 7.2.1)
-      mail (>= 2.8.0)
-    actionmailer (7.2.1)
-      actionpack (= 7.2.1)
-      actionview (= 7.2.1)
-      activejob (= 7.2.1)
-      activesupport (= 7.2.1)
-      mail (>= 2.8.0)
-      rails-dom-testing (~> 2.2)
-    actionpack (7.2.1)
-      actionview (= 7.2.1)
-      activesupport (= 7.2.1)
-      nokogiri (>= 1.8.5)
-      racc
-      rack (>= 2.2.4, < 3.2)
-      rack-session (>= 1.0.1)
-      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.2)
-      rails-html-sanitizer (~> 1.6)
-      useragent (~> 0.16)
-    actiontext (7.2.1)
-      actionpack (= 7.2.1)
-      activerecord (= 7.2.1)
-      activestorage (= 7.2.1)
-      activesupport (= 7.2.1)
-      globalid (>= 0.6.0)
-      nokogiri (>= 1.8.5)
-    actionview (7.2.1)
-      activesupport (= 7.2.1)
-      builder (~> 3.1)
-      erubi (~> 1.11)
-      rails-dom-testing (~> 2.2)
-      rails-html-sanitizer (~> 1.6)
-    activejob (7.2.1)
-      activesupport (= 7.2.1)
-      globalid (>= 0.3.6)
-    activemodel (7.2.1)
-      activesupport (= 7.2.1)
-    activerecord (7.2.1)
-      activemodel (= 7.2.1)
-      activesupport (= 7.2.1)
-      timeout (>= 0.4.0)
-    activestorage (7.2.1)
-      actionpack (= 7.2.1)
-      activejob (= 7.2.1)
-      activerecord (= 7.2.1)
-      activesupport (= 7.2.1)
-      marcel (~> 1.0)
-    activesupport (7.2.1)
-      base64
-      bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.3.1)
-      connection_pool (>= 2.2.5)
-      drb
-      i18n (>= 1.6, < 2)
-      logger (>= 1.4.2)
-      minitest (>= 5.1)
-      securerandom (>= 0.3)
-      tzinfo (~> 2.0, >= 2.0.5)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.8)
-    builder (3.3.0)
-    byebug (11.1.3)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
-    crass (1.0.6)
-    date (3.3.4)
-    diff-lcs (1.5.1)
-    drb (2.2.1)
-    erubi (1.13.0)
-    globalid (1.2.1)
-      activesupport (>= 6.1)
-    i18n (1.14.5)
-      concurrent-ruby (~> 1.0)
-    io-console (0.7.2)
-    irb (1.14.0)
-      rdoc (>= 4.0.0)
-      reline (>= 0.4.2)
-    json (2.7.2)
-    language_server-protocol (3.17.0.3)
-    logger (1.6.0)
-    loofah (2.22.0)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
-    mail (2.8.1)
-      mini_mime (>= 0.1.1)
-      net-imap
-      net-pop
-      net-smtp
-    marcel (1.0.4)
-    mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
-    minitest (5.25.1)
-    net-imap (0.4.15)
-      date
-      net-protocol
-    net-pop (0.1.2)
-      net-protocol
-    net-protocol (0.2.2)
-      timeout
-    net-smtp (0.5.0)
-      net-protocol
-    nio4r (2.7.3)
-    nokogiri (1.16.7)
-      mini_portile2 (~> 2.8.2)
-      racc (~> 1.4)
-    package_json (0.1.0)
-    parallel (1.26.3)
-    parser (3.3.4.2)
-      ast (~> 2.4.1)
-      racc
-    psych (5.1.2)
-      stringio
-    racc (1.8.1)
-    rack (3.1.7)
-    rack-proxy (0.7.7)
-      rack
-    rack-session (2.0.0)
-      rack (>= 3.0.0)
-    rack-test (2.1.0)
-      rack (>= 1.3)
-    rackup (2.1.0)
-      rack (>= 3)
-      webrick (~> 1.8)
-    rails (7.2.1)
-      actioncable (= 7.2.1)
-      actionmailbox (= 7.2.1)
-      actionmailer (= 7.2.1)
-      actionpack (= 7.2.1)
-      actiontext (= 7.2.1)
-      actionview (= 7.2.1)
-      activejob (= 7.2.1)
-      activemodel (= 7.2.1)
-      activerecord (= 7.2.1)
-      activestorage (= 7.2.1)
-      activesupport (= 7.2.1)
-      bundler (>= 1.15.0)
-      railties (= 7.2.1)
-    rails-dom-testing (2.2.0)
-      activesupport (>= 5.0.0)
-      minitest
-      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
-      loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    railties (7.2.1)
-      actionpack (= 7.2.1)
-      activesupport (= 7.2.1)
-      irb (~> 1.13)
-      rackup (>= 1.0.0)
-      rake (>= 12.2)
-      thor (~> 1.0, >= 1.2.2)
-      zeitwerk (~> 2.6)
-    rainbow (3.1.1)
-    rake (13.2.1)
-    rbs (3.9.5)
-      logger
-    rdoc (6.7.0)
-      psych (>= 4.0.0)
-    regexp_parser (2.9.2)
-    reline (0.5.9)
-      io-console (~> 0.5)
-    rspec-core (3.13.0)
-      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-rails (6.0.4)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
-    rspec-support (3.13.1)
-    rubocop (1.66.0)
-      json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
-      parallel (~> 1.10)
-      parser (>= 3.3.0.2)
-      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rubocop-ast (>= 1.32.1, < 2.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.32.1)
-      parser (>= 3.3.1.0)
-    rubocop-performance (1.21.1)
-      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    ruby-progressbar (1.13.0)
-    securerandom (0.3.1)
-    semantic_range (3.1.0)
-    stringio (3.1.1)
-    thor (1.3.2)
-    timeout (0.4.1)
-    tzinfo (2.0.6)
-      concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
-    useragent (0.16.10)
-    webrick (1.8.1)
-    websocket-driver (0.7.6)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
-    zeitwerk (2.6.17)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  bundler (>= 1.3.0)
-  byebug
-  nokogiri (>= 1.13.6)
-  rack-proxy (>= 0.7.2)
-  rails (>= 6.1.6)
-  rails-html-sanitizer (>= 1.4.3)
-  rake (>= 11.1)
-  rbs (~> 3.0)
-  rspec-rails (~> 6.0.2)
-  rubocop
-  rubocop-performance
-  shakapacker!
-
-BUNDLED WITH
-   2.5.23