Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands.}

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

PR Review: Bump React on Rails RC dependencies

This PR bumps react_on_rails_pro (Ruby + JS) from rc.3 to rc.6, advances React and react-dom from ~19.0.4 to ~19.2.7, and upgrades react-on-rails-rsc from 19.0.5-rc.7 to 19.2.0-rc.3 (which introduces a new transitive dependency: react-server-dom-webpack). The lockfiles are regenerated in full.

Findings

1. react-server-dom-webpack is now a runtime dependency but is not declared in package.json (confirmed)

react-on-rails-rsc@19.2.0-rc.3 now declares react-server-dom-webpack "~19.2.7" as a dependency — this package was not required by the previous 19.0.5-rc.7. It is a React-internal RSC package that must be version-matched exactly to react and react-dom. Because it is only a transitive dependency, there is no mechanism in package.json to enforce this alignment. If react/react-dom are bumped independently (or if react-on-rails-rsc shifts its declared range in a future RC), the RSC stack can silently end up with mismatched versions, producing hard runtime errors like "This module cannot be used with a different version of React."

Recommendation: Add "react-server-dom-webpack": "~19.2.7" as a direct dependency to make the version constraint explicit and reviewable.

2. react-redux@^8.1.0 (v8.1.3) declares peerDependencies of react@^16.8.3 || ^17 || ^18 — React 19 is not covered (plausible — peer dep warnings confirmed)

With React bumped to ~19.2.7, yarn install will produce peer dependency warnings because react-redux 8.x never declared React 19 support. The app uses connect() + Provider (no removed APIs), so it likely functions at runtime, but react-redux v9 was specifically released to declare React 18/19 support and should be the upgrade path here.

Recommendation: Upgrade react-redux to ^9.0.0 in a follow-up (this may warrant its own PR given potential API changes).

Non-issues noted (for visibility)

• ~ vs ^ for React — The tilde pin on react/react-dom is correct here: react-on-rails-rsc also uses ~19.2.7 for react-server-dom-webpack, so using ^ would allow React to advance to 19.3.x while the RSC package stays on 19.2.x — a worse outcome.
• Gemfile dot notation vs npm hyphen — 17.0.0.rc.6 vs 17.0.0-rc.6 is correct per each ecosystem's spec; not a risk.
• All lockfile integrity hashes are present and correctly formed for new packages.

Review: Bump React on Rails RC dependencies

This PR advances the React on Rails Pro suite from rc.3 to rc.6, steps react-on-rails-rsc through a full minor version (19.0.5-rc.7 → 19.2.0-rc.3), and brings React/React DOM from 19.0.x to 19.2.7. The lockfile changes are consistent and the version notation is correct across ecosystems (RubyGems dots vs npm hyphens). Two structural issues with the new react-server-dom-webpack pin are worth addressing before merge.

Findings

1. Redundant direct pin for react-server-dom-webpack · package.json:92
No application source file imports react-server-dom-webpack — verified by grepping the entire client tree. The package is already a hard dependency of react-on-rails-rsc@19.2.0-rc.3 (yarn.lock has a single resolved entry at 19.2.7). The root-level pin is harmless today because both constraints use identical ranges (~19.2.7), but if a future react-on-rails-rsc update changes its internal range, Yarn 1 may resolve two separate copies. React's RSC runtime keys modules by object identity, so a version split silently breaks Server Component streaming. Options: remove the explicit entry and let it resolve transitively, or hoist all three React RSC packages into a resolutions block so they can only move together.

2. react / react-dom / react-server-dom-webpack must be bumped in lockstep · package.json:81–82, 92
All three packages are pinned independently at ~19.2.7. A future yarn upgrade react react-dom that crosses a minor boundary without also updating react-server-dom-webpack will cause React to throw at startup ("react-server-dom-webpack requires react and react-dom to be loaded"). A resolutions block or an inline comment makes the coupling explicit and prevents the packages from drifting apart in a maintenance update.

3. Check whether react_on_rails_rsc#29 shipped in 19.2.0-rc.3 · config/shakapacker.yml:12
shakapacker.yml carries a TODO to flip assets_bundler back to rspack once shakacode/react_on_rails_rsc#29 (native rspack RSC plugin) ships. This bump steps react-on-rails-rsc through a full minor version — worth a quick look at the rc release notes to see if that issue was resolved. If it was, the bundler can be flipped here and the TODO removed.

4. react-redux@^8.x peer deps do not declare React 19 compatibility
react-redux 8.1.3 lists react ^16.8.3 || ^17 || ^18 as its peer dependency. With React 19.2.7 this generates a peer dep warning at install time. It works in practice (the library uses use-sync-external-store which React 19 retains), but react-redux 9.x formally declares React 19 support. Not a blocker for an RC-track tutorial repo, but worth noting for readers following this as a best-practices reference.

The Gemfile/Gemfile.lock changes are clean — format, version constraints, and transitive bumps (io-event, io-stream) all look correct.

Review: Bump React on Rails RC dependencies

This PR advances the React on Rails Pro gem and npm packages from rc.3 to rc.6, lifts React and React DOM from ~19.0.4 to ~19.2.7, updates react-on-rails-rsc to track the new React minor (19.2.0-rc.3), and adds react-server-dom-webpack as a new direct dependency. Lockfile entries are consistent and the transitive Ruby dependency bumps (concurrent-ruby, io-event, io-stream) are appropriate minor/patch updates.

Finding

package.json:92 — react-server-dom-webpack is redundantly declared as a direct dependency

No source file in this repository directly imports react-server-dom-webpack; it is already declared as a transitive dependency of react-on-rails-rsc@19.2.0-rc.3 with the identical range (~19.2.7). Yarn 1 currently deduplicates them to a single resolved entry, so there is no immediate problem.

The risk is future maintenance: when react-on-rails-rsc ships a new RC whose own range changes (e.g. ~19.3.x), the pinned direct dep in package.json stays at ~19.2.7 and Yarn 1 will install two separate copies. The RSC Flight protocol is sensitive to mismatched module identities, so two versions of react-server-dom-webpack in node_modules can cause silent payload corruption or hydration failures that are hard to diagnose.

Recommendation: Remove the direct dep and let react-on-rails-rsc manage it. If the intent is to lock react-server-dom-webpack to always match the React version, use resolutions instead — that enforces the version without creating a redundant declaration:

"resolutions": {
  "react-server-dom-webpack": "~19.2.7"
}

Everything else looks good

• Version consistency across Gemfile / Gemfile.lock / package.json / yarn.lock is correct.
• The rc.3 → rc.6 bump is uniform across all three React on Rails packages on both the Ruby and JS sides.
• react-on-rails-rsc versioning (19.2.0-rc.3) correctly tracks the React 19.2.x minor series.
• react-transition-group and react-redux compatibility concerns are pre-existing and unchanged by this PR; the codebase already uses nodeRef correctly everywhere.
• CI runs the full rspec and JS test suites on every PR, so the manual validation checklist in the PR description is sufficient.

+review-app-deploy

🎉 Deploy Complete!

Open Review App

Deployment successful for PR #768, commit 1267e17

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

Greptile Summary

This PR bumps React on Rails RC packages to 17.0.0-rc.6 / 17.0.0.rc.6 across both the Ruby gem and npm ecosystems, and upgrades React/React DOM from ~19.0.4 to ~19.2.7 with a corresponding react-on-rails-rsc jump from 19.0.5-rc.7 to 19.2.0-rc.3.

• React and React DOM are bumped two minor versions to ~19.2.7; scheduler moves from 0.25.0 to 0.27.0 automatically via react-dom's peer dependency.
• react-server-dom-webpack ~19.2.7 is added as an explicit direct dependency (it became a peer/transitive requirement of react-on-rails-rsc@19.2.0-rc.3).
• Ruby gems react_on_rails and react_on_rails_pro are both advanced from 17.0.0.rc.3 to 17.0.0.rc.6, with minor updates to concurrent-ruby, io-event, and io-stream in the lockfile.

Confidence Score: 4/5

Safe to merge; all version pins are internally consistent across package.json, yarn.lock, Gemfile, and Gemfile.lock, but all promoted packages remain release candidates.

Every changed package is an RC build rather than a stable release, so the upgrade carries the inherent uncertainty of pre-release software. Within those constraints the bump is clean: React/React DOM, scheduler, react-server-dom-webpack, and the react-on-rails-rsc version jump all align correctly, and the new react-server-dom-webpack direct dependency in package.json is appropriately pinned to match the transitive requirement introduced by react-on-rails-rsc 19.2.0-rc.3.

No files require special attention; the lockfiles faithfully reflect the manifest pins.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json] --> B[react 19.2.7]
    A --> C[react-dom 19.2.7]
    A --> D[react-on-rails-pro 17.0.0-rc.6]
    A --> E[react-on-rails-pro-node-renderer 17.0.0-rc.6]
    A --> F[react-on-rails-rsc 19.2.0-rc.3]
    A --> G[react-server-dom-webpack 19.2.7 NEW]
    C --> H[scheduler 0.27.0]
    D --> I[react-on-rails 17.0.0-rc.6]
    F --> G
    Gemfile --> J[react_on_rails_pro gem 17.0.0.rc.6]
    J --> K[react_on_rails gem 17.0.0.rc.6]

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[package.json] --> B[react 19.2.7]
    A --> C[react-dom 19.2.7]
    A --> D[react-on-rails-pro 17.0.0-rc.6]
    A --> E[react-on-rails-pro-node-renderer 17.0.0-rc.6]
    A --> F[react-on-rails-rsc 19.2.0-rc.3]
    A --> G[react-server-dom-webpack 19.2.7 NEW]
    C --> H[scheduler 0.27.0]
    D --> I[react-on-rails 17.0.0-rc.6]
    F --> G
    Gemfile --> J[react_on_rails_pro gem 17.0.0.rc.6]
    J --> K[react_on_rails gem 17.0.0.rc.6]

_{Reviews (1): Last reviewed commit: "Refresh concurrent-ruby advisory patch" | Re-trigger Greptile}

✅ Review App Deleted

Review app for PR #768 is deleted

🎮 Control Plane Console
📋 View Workflow Logs

Review: Bump React on Rails RC dependencies

This PR advances React on Rails Pro (Ruby gem + npm) from rc.3 to rc.6, bumps React/ReactDOM from 19.0.x to 19.2.x, and promotes react-server-dom-webpack to a direct top-level npm dependency (previously only pulled in transitively through react-on-rails-rsc). The Gemfile.lock and yarn.lock regenerations look consistent with those version changes.

Two findings survived verification:

1. react_on_rails base gem is not directly pinned in the Gemfile (Gemfile:9)

react_on_rails 17.0.0.rc.6 appears only as a transitive dependency resolved through react_on_rails_pro's own constraint (react_on_rails (= 17.0.0.rc.6) in the lockfile). The DEPENDENCIES section of Gemfile.lock has no direct entry for it.

RC gems can be yanked from RubyGems.org. If react_on_rails 17.0.0.rc.6 is yanked, bundle install fails on any fresh checkout with no workaround short of manually editing Gemfile.lock. Adding gem "react_on_rails", "17.0.0.rc.6" directly to the Gemfile would give the app an explicit fallback pin.

2. react-server-dom-webpack placed in dependencies rather than devDependencies (package.json:92)

react-server-dom-webpack is a webpack plugin/loader used only at build time to enable React Server Components bundling. It is not imported or required anywhere in application source code (client/, config/, renderer/). It belongs in devDependencies.

Note: this repo broadly places webpack tooling in the wrong section (webpack, webpack-cli, terser-webpack-plugin, css-minimizer-webpack-plugin, and most loaders are all in dependencies). The new package follows the existing pattern, but the pattern itself means production installs unnecessarily pull build tooling.

Low-risk observation

react, react-dom, and react-server-dom-webpack are all pinned with ~19.2.7. These packages must stay in exact version lockstep — the RSC Flight protocol is sensitive to version skew between them. The tilde range technically allows patch divergence within 19.2.x. In practice the React team publishes all three simultaneously so this rarely causes issues, but exact pins ("19.2.7") would remove the skew window entirely without meaningful downside for an RC-tracking repo.