Bump React on Rails RC dependencies

[justin808]

Summary

• Bumps React on Rails Pro packages to 17.0.0-rc.6 / 17.0.0.rc.6.
• Bumps react-on-rails-rsc to 19.2.0-rc.3 and React/React DOM to ~19.2.7.
• Regenerates yarn.lock and Gemfile.lock.

Validation

• corepack yarn install --ignore-scripts
• bundle install
• git diff --check
• Scanned manifests and lockfiles for stale RC pins.

[coderabbitai]

Warning

Review limit reached

@justin808, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 43 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bfe4614e-5f05-4987-b1e1-ef1423e403bc

📥 Commits

Reviewing files that changed from the base of the PR and between ae5a69d and 1267e17.

⛔ Files ignored due to path filters (2)

• Gemfile.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• Gemfile
• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/react-on-rails-17-rc6

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[claude]

PR Review: Bump React on Rails RC dependencies

This PR bumps react_on_rails_pro (Ruby + JS) from rc.3 to rc.6, advances React and react-dom from ~19.0.4 to ~19.2.7, and upgrades react-on-rails-rsc from 19.0.5-rc.7 to 19.2.0-rc.3 (which introduces a new transitive dependency: react-server-dom-webpack). The lockfiles are regenerated in full.

Findings

1. react-server-dom-webpack is now a runtime dependency but is not declared in package.json (confirmed)

react-on-rails-rsc@19.2.0-rc.3 now declares react-server-dom-webpack "~19.2.7" as a dependency — this package was not required by the previous 19.0.5-rc.7. It is a React-internal RSC package that must be version-matched exactly to react and react-dom. Because it is only a transitive dependency, there is no mechanism in package.json to enforce this alignment. If react/react-dom are bumped independently (or if react-on-rails-rsc shifts its declared range in a future RC), the RSC stack can silently end up with mismatched versions, producing hard runtime errors like "This module cannot be used with a different version of React."

Recommendation: Add "react-server-dom-webpack": "~19.2.7" as a direct dependency to make the version constraint explicit and reviewable.

---

2. react-redux@^8.1.0 (v8.1.3) declares peerDependencies of react@^16.8.3 || ^17 || ^18 — React 19 is not covered (plausible — peer dep warnings confirmed)

With React bumped to ~19.2.7, yarn install will produce peer dependency warnings because react-redux 8.x never declared React 19 support. The app uses connect() + Provider (no removed APIs), so it likely functions at runtime, but react-redux v9 was specifically released to declare React 18/19 support and should be the upgrade path here.

Recommendation: Upgrade react-redux to ^9.0.0 in a follow-up (this may warrant its own PR given potential API changes).

---

Non-issues noted (for visibility)

• ~ vs ^ for React — The tilde pin on react/react-dom is correct here: react-on-rails-rsc also uses ~19.2.7 for react-server-dom-webpack, so using ^ would allow React to advance to 19.3.x while the RSC package stays on 19.2.x — a worse outcome.
• Gemfile dot notation vs npm hyphen — 17.0.0.rc.6 vs 17.0.0-rc.6 is correct per each ecosystem's spec; not a risk.
• All lockfile integrity hashes are present and correctly formed for new packages.

[claude]

This version introduces react-server-dom-webpack "~19.2.7" as a new transitive dependency (the previous 19.0.5-rc.7 had no such dependency). That package is a React-internal RSC module that must be version-matched exactly to react and react-dom. Since it only arrives transitively, there's no direct pin in package.json to enforce this alignment.

Suggested change

	"react-on-rails-rsc": "19.2.0-rc.3",
	"react-on-rails-rsc": "19.2.0-rc.3",
	"react-server-dom-webpack": "~19.2.7",

Adding it as a direct dependency makes the constraint explicit, ensures it moves in lockstep with react/react-dom, and surfaces the version in reviews of future dependency bumps.

[claude]

react-redux 8.1.3 declares peerDependencies: { react: "^16.8.3 || ^17 || ^18" } — React 19 is not in that range. With react now at ~19.2.7, yarn install will emit peer dependency warnings. The app's use of connect() + Provider means it likely functions at runtime (no removed APIs are hit), but react-redux v9 was released specifically to add React 18/19 to the peer dep declaration.

Consider upgrading to ^9.0.0 in a follow-up PR (v9 has some API changes worth reviewing separately).

[claude]

Redundant direct pin — no app code imports this package

react-server-dom-webpack is not imported anywhere in the application's source files; it's already a hard dependency of react-on-rails-rsc@19.2.0-rc.3 (confirmed in yarn.lock). Pinning it here as well creates a maintenance trap: if a future react-on-rails-rsc update changes its internal range (e.g. to ~19.3.x), Yarn 1 may resolve two separate copies. React's RSC runtime performs identity checks on its own modules, so a version split silently breaks Server Component streaming.

If the goal is to lock the version independently of react-on-rails-rsc, consider using a resolutions block instead:

Suggested change

	"react-server-dom-webpack": "~19.2.7",
	"react-server-dom-webpack": "~19.2.7",

(Alternatively, remove this line entirely and let it be managed transitively — the yarn.lock already locks it to 19.2.7.)

[claude]

Version triangle: three RSC packages must stay in lockstep but have independent pins

react, react-dom, and react-server-dom-webpack are all at ~19.2.7 today, but they are three separate dependencies entries. Running yarn upgrade react react-dom in a future maintenance window — without also bumping react-server-dom-webpack — will produce a mismatch between the React core packages and the RSC webpack bridge. React's own cross-package assertion throws at startup: "react-server-dom-webpack requires react and react-dom to be loaded."

Consider anchoring all three together via a resolutions block so they can only move in a single commit:

"resolutions": {
  "react": "~19.2.7",
  "react-dom": "~19.2.7",
  "react-server-dom-webpack": "~19.2.7"
}

Or at minimum add a comment above all three entries calling out that they must be bumped together.

[claude]

Review: Bump React on Rails RC dependencies

This PR advances the React on Rails Pro suite from rc.3 to rc.6, steps react-on-rails-rsc through a full minor version (19.0.5-rc.7 → 19.2.0-rc.3), and brings React/React DOM from 19.0.x to 19.2.7. The lockfile changes are consistent and the version notation is correct across ecosystems (RubyGems dots vs npm hyphens). Two structural issues with the new react-server-dom-webpack pin are worth addressing before merge.

---

Findings

1. Redundant direct pin for react-server-dom-webpack · package.json:92
No application source file imports react-server-dom-webpack — verified by grepping the entire client tree. The package is already a hard dependency of react-on-rails-rsc@19.2.0-rc.3 (yarn.lock has a single resolved entry at 19.2.7). The root-level pin is harmless today because both constraints use identical ranges (~19.2.7), but if a future react-on-rails-rsc update changes its internal range, Yarn 1 may resolve two separate copies. React's RSC runtime keys modules by object identity, so a version split silently breaks Server Component streaming. Options: remove the explicit entry and let it resolve transitively, or hoist all three React RSC packages into a resolutions block so they can only move together.

2. react / react-dom / react-server-dom-webpack must be bumped in lockstep · package.json:81–82, 92
All three packages are pinned independently at ~19.2.7. A future yarn upgrade react react-dom that crosses a minor boundary without also updating react-server-dom-webpack will cause React to throw at startup ("react-server-dom-webpack requires react and react-dom to be loaded"). A resolutions block or an inline comment makes the coupling explicit and prevents the packages from drifting apart in a maintenance update.

3. Check whether react_on_rails_rsc#29 shipped in 19.2.0-rc.3 · config/shakapacker.yml:12
shakapacker.yml carries a TODO to flip assets_bundler back to rspack once shakacode/react_on_rails_rsc#29 (native rspack RSC plugin) ships. This bump steps react-on-rails-rsc through a full minor version — worth a quick look at the rc release notes to see if that issue was resolved. If it was, the bundler can be flipped here and the TODO removed.

4. react-redux@^8.x peer deps do not declare React 19 compatibility
react-redux 8.1.3 lists react ^16.8.3 || ^17 || ^18 as its peer dependency. With React 19.2.7 this generates a peer dep warning at install time. It works in practice (the library uses use-sync-external-store which React 19 retains), but react-redux 9.x formally declares React 19 support. Not a blocker for an RC-track tutorial repo, but worth noting for readers following this as a best-practices reference.

---

The Gemfile/Gemfile.lock changes are clean — format, version constraints, and transitive bumps (io-event, io-stream) all look correct.

[claude]

Review: Bump React on Rails RC dependencies

This PR advances the React on Rails Pro gem and npm packages from rc.3 to rc.6, lifts React and React DOM from ~19.0.4 to ~19.2.7, updates react-on-rails-rsc to track the new React minor (19.2.0-rc.3), and adds react-server-dom-webpack as a new direct dependency. Lockfile entries are consistent and the transitive Ruby dependency bumps (concurrent-ruby, io-event, io-stream) are appropriate minor/patch updates.

Finding

package.json:92 — react-server-dom-webpack is redundantly declared as a direct dependency

No source file in this repository directly imports react-server-dom-webpack; it is already declared as a transitive dependency of react-on-rails-rsc@19.2.0-rc.3 with the identical range (~19.2.7). Yarn 1 currently deduplicates them to a single resolved entry, so there is no immediate problem.

The risk is future maintenance: when react-on-rails-rsc ships a new RC whose own range changes (e.g. ~19.3.x), the pinned direct dep in package.json stays at ~19.2.7 and Yarn 1 will install two separate copies. The RSC Flight protocol is sensitive to mismatched module identities, so two versions of react-server-dom-webpack in node_modules can cause silent payload corruption or hydration failures that are hard to diagnose.

Recommendation: Remove the direct dep and let react-on-rails-rsc manage it. If the intent is to lock react-server-dom-webpack to always match the React version, use resolutions instead — that enforces the version without creating a redundant declaration:

"resolutions": {
  "react-server-dom-webpack": "~19.2.7"
}

Everything else looks good

• Version consistency across Gemfile / Gemfile.lock / package.json / yarn.lock is correct.
• The rc.3 → rc.6 bump is uniform across all three React on Rails packages on both the Ruby and JS sides.
• react-on-rails-rsc versioning (19.2.0-rc.3) correctly tracks the React 19.2.x minor series.
• react-transition-group and react-redux compatibility concerns are pre-existing and unchanged by this PR; the codebase already uses nodeRef correctly everywhere.
• CI runs the full rspec and JS test suites on every PR, so the manual validation checklist in the PR description is sufficient.

[claude]

This package is never directly imported in the application source — all RSC usage goes through react-on-rails-rsc, which already declares react-server-dom-webpack "~19.2.7" as its own dependency (see yarn.lock). Yarn 1 currently deduplicates the two identical ~19.2.7 ranges to a single resolved entry, so there is no breakage today.

The concern is forward-looking: when react-on-rails-rsc ships a future RC that bumps its range to ~19.3.x, this pin stays at ~19.2.7 and Yarn 1 installs two separate copies. Because the RSC Flight wire format uses module identity, mismatched react-server-dom-webpack versions can corrupt server component payloads in ways that are difficult to diagnose.

If the goal is to keep react-server-dom-webpack pinned to the same minor as React (good idea), prefer resolutions over a direct dep:

Suggested change

"react-server-dom-webpack": "~19.2.7",

...and add in the top-level resolutions field:

"resolutions": {
  "react-server-dom-webpack": "~19.2.7"
}

That enforces the version without making this project responsible for manually upgrading a package it never directly uses.

[justin808]

+review-app-deploy

[github-actions]

🎉 Deploy Complete!

Open Review App

Deployment successful for PR #768, commit 1267e17

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[greptile-apps]

Greptile Summary

This PR bumps React on Rails RC packages to 17.0.0-rc.6 / 17.0.0.rc.6 across both the Ruby gem and npm ecosystems, and upgrades React/React DOM from ~19.0.4 to ~19.2.7 with a corresponding react-on-rails-rsc jump from 19.0.5-rc.7 to 19.2.0-rc.3.

• React and React DOM are bumped two minor versions to ~19.2.7; scheduler moves from 0.25.0 to 0.27.0 automatically via react-dom's peer dependency.
• react-server-dom-webpack ~19.2.7 is added as an explicit direct dependency (it became a peer/transitive requirement of react-on-rails-rsc@19.2.0-rc.3).
• Ruby gems react_on_rails and react_on_rails_pro are both advanced from 17.0.0.rc.3 to 17.0.0.rc.6, with minor updates to concurrent-ruby, io-event, and io-stream in the lockfile.

Confidence Score: 4/5

Safe to merge; all version pins are internally consistent across package.json, yarn.lock, Gemfile, and Gemfile.lock, but all promoted packages remain release candidates.

Every changed package is an RC build rather than a stable release, so the upgrade carries the inherent uncertainty of pre-release software. Within those constraints the bump is clean: React/React DOM, scheduler, react-server-dom-webpack, and the react-on-rails-rsc version jump all align correctly, and the new react-server-dom-webpack direct dependency in package.json is appropriately pinned to match the transitive requirement introduced by react-on-rails-rsc 19.2.0-rc.3.

No files require special attention; the lockfiles faithfully reflect the manifest pins.

Important Files Changed

Filename	Overview
Gemfile	Bumps react_on_rails_pro from 17.0.0.rc.3 to 17.0.0.rc.6; consistent with Gemfile.lock
Gemfile.lock	Lockfile regenerated; react_on_rails and react_on_rails_pro both at rc.6, concurrent-ruby/io-event/io-stream minor bumps, all consistent
package.json	React/React DOM bumped to ~19.2.7, react-on-rails-pro packages to rc.6, react-on-rails-rsc to 19.2.0-rc.3, react-server-dom-webpack ~19.2.7 added as new direct dependency
yarn.lock	Lockfile regenerated; all package resolutions match package.json pins, scheduler updated to 0.27.0 to match React 19.2.7 requirements

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json] --> B[react 19.2.7]
    A --> C[react-dom 19.2.7]
    A --> D[react-on-rails-pro 17.0.0-rc.6]
    A --> E[react-on-rails-pro-node-renderer 17.0.0-rc.6]
    A --> F[react-on-rails-rsc 19.2.0-rc.3]
    A --> G[react-server-dom-webpack 19.2.7 NEW]
    C --> H[scheduler 0.27.0]
    D --> I[react-on-rails 17.0.0-rc.6]
    F --> G
    Gemfile --> J[react_on_rails_pro gem 17.0.0.rc.6]
    J --> K[react_on_rails gem 17.0.0.rc.6]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[package.json] --> B[react 19.2.7]
    A --> C[react-dom 19.2.7]
    A --> D[react-on-rails-pro 17.0.0-rc.6]
    A --> E[react-on-rails-pro-node-renderer 17.0.0-rc.6]
    A --> F[react-on-rails-rsc 19.2.0-rc.3]
    A --> G[react-server-dom-webpack 19.2.7 NEW]
    C --> H[scheduler 0.27.0]
    D --> I[react-on-rails 17.0.0-rc.6]
    F --> G
    Gemfile --> J[react_on_rails_pro gem 17.0.0.rc.6]
    J --> K[react_on_rails gem 17.0.0.rc.6]

Loading

_{Reviews (1): Last reviewed commit: "Refresh concurrent-ruby advisory patch" | Re-trigger Greptile}

[github-actions]

✅ Review App Deleted

Review app for PR #768 is deleted

🎮 Control Plane Console
📋 View Workflow Logs

[claude]

Review: Bump React on Rails RC dependencies

This PR advances React on Rails Pro (Ruby gem + npm) from rc.3 to rc.6, bumps React/ReactDOM from 19.0.x to 19.2.x, and promotes react-server-dom-webpack to a direct top-level npm dependency (previously only pulled in transitively through react-on-rails-rsc). The Gemfile.lock and yarn.lock regenerations look consistent with those version changes.

Two findings survived verification:

---

1. react_on_rails base gem is not directly pinned in the Gemfile (Gemfile:9)

react_on_rails 17.0.0.rc.6 appears only as a transitive dependency resolved through react_on_rails_pro's own constraint (react_on_rails (= 17.0.0.rc.6) in the lockfile). The DEPENDENCIES section of Gemfile.lock has no direct entry for it.

RC gems can be yanked from RubyGems.org. If react_on_rails 17.0.0.rc.6 is yanked, bundle install fails on any fresh checkout with no workaround short of manually editing Gemfile.lock. Adding gem "react_on_rails", "17.0.0.rc.6" directly to the Gemfile would give the app an explicit fallback pin.

---

2. react-server-dom-webpack placed in dependencies rather than devDependencies (package.json:92)

react-server-dom-webpack is a webpack plugin/loader used only at build time to enable React Server Components bundling. It is not imported or required anywhere in application source code (client/, config/, renderer/). It belongs in devDependencies.

Note: this repo broadly places webpack tooling in the wrong section (webpack, webpack-cli, terser-webpack-plugin, css-minimizer-webpack-plugin, and most loaders are all in dependencies). The new package follows the existing pattern, but the pattern itself means production installs unnecessarily pull build tooling.

---

Low-risk observation

react, react-dom, and react-server-dom-webpack are all pinned with ~19.2.7. These packages must stay in exact version lockstep — the RSC Flight protocol is sensitive to version skew between them. The tilde range technically allows patch divergence within 19.2.x. In practice the React team publishes all three simultaneously so this rarely causes issues, but exact pins ("19.2.7") would remove the skew window entirely without meaningful downside for an RC-tracking repo.

[claude]

The base react_on_rails gem (at 17.0.0.rc.6) is not directly pinned here — it only appears in the lockfile as a transitive dep of react_on_rails_pro. RC gems can be yanked from RubyGems.org; if that happens, bundle install fails on fresh checkouts with no recourse.

Consider adding a direct pin:

Suggested change

	gem "react_on_rails_pro", "17.0.0.rc.6"
	gem "react_on_rails_pro", "17.0.0.rc.6"
	gem "react_on_rails", "17.0.0.rc.6"

[claude]

react-server-dom-webpack is a webpack plugin used at build time — it is not imported anywhere in application source code. It should go in devDependencies rather than dependencies.

Suggested change

	"react-server-dom-webpack": "~19.2.7",
	"react-server-dom-webpack": "~19.2.7",

Move this entry to the devDependencies section (alongside webpack-dev-server, which is already correctly placed there). The same applies to webpack, webpack-cli, and the other loaders/plugins that are currently miscategorised in dependencies — this PR is a good opportunity to start correcting that pattern.