fix: pin third-party npm deps in generator to prevent peer dep conflicts (#3083)

## Summary

- Pin all third-party npm dependency constants in the install generator
and `bin/switch-bundler` to `^major.0.0` version ranges
- Fixes CI breakage from `@rspack/plugin-react-refresh@2.0.0` requiring
`@rspack/core@^2.0.0-0` while `@rspack/core` latest is still `1.7.11`
- Follows the same pinning pattern used by Shakapacker's own installer

## Why

The generator listed all third-party npm packages as bare names,
resolving to whatever `latest` pointed to at install time. When
`@rspack/plugin-react-refresh` published 2.0.0 with a peer dep on
`@rspack/core@^2.0.0-0` — while `@rspack/core` latest was still 1.7.11 —
npm refused to install, breaking three rspack generator specs on main.

Every comparable tool (Shakapacker, Webpacker, create-next-app,
create-vite) pins dependencies. This PR closes the gap.

## What changed

| Constant | Example pin | Notes |
|----------|------------|-------|
| `REACT_DEPENDENCIES` | `react@^19.0.0` | Current major |
| `CSS_DEPENDENCIES` | `css-loader@^7.0.0` | Current major |
| `RSPACK_DEPENDENCIES` | `@rspack/core@^1.0.0` | **The fix** |
| `RSPACK_DEV_DEPENDENCIES` | `@rspack/plugin-react-refresh@^1.0.0` |
**The fix** |
| `TYPESCRIPT_DEPENDENCIES` | `typescript@^6.0.0` | Current major |
| `SWC_DEPENDENCIES` | `@swc/core@^1.3.0` | Matches Shakapacker |
| `DEV_DEPENDENCIES` | bare | Pre-1.0, `^0.x` too narrow |
| `bin/switch-bundler` | All deps pinned | Same pattern |

## Verification

Created test apps from both `main` and this branch:
- **Basic install (no --rspack):** `diff package.json` → **identical**,
zero behavior change
- **`--rspack` on main:** fails with `ERESOLVE` peer dep conflict
- **`--rspack` on this branch:** succeeds, all packages installed at
expected 1.x versions

## Test plan

- [ ] CI `rspec-package-tests` passes (the three failing rspack specs
should be green)
- [ ] CI `rspec-unit-tests` passes (updated constant assertions in
`js_dependency_manager_spec.rb`)
- [ ] Verify no regressions in other generator specs

Closes #3082

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* npm dependencies are now pinned to caret-major ranges (e.g.,
^major.0.0) to avoid peer dependency conflicts and prevent
CI/bundler/SWC-related breakage.

* **Documentation**
* Changelog updated to describe the new dependency pinning approach and
rationale.

* **Installer**
* Install/switch tooling now handles versioned npm specifiers correctly
when updating project dependencies.

* **Tests**
* Test suite updated to verify the new versioned dependency behavior in
generators.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

CHANGELOG.md

@@ -24,6 +24,10 @@ After a release, run `/update-changelog` in Claude Code to analyze commits, writ
 
 ### [Unreleased]
 
+#### Fixed
+
+- **Pin third-party npm dependency versions in generator**: All third-party npm dependencies installed by the `react_on_rails:install` generator and `bin/switch-bundler` are now pinned to `^major.0.0` version ranges, preventing peer dependency conflicts from uncontrolled major version bumps. Fixes CI breakage caused by `@rspack/plugin-react-refresh@2.0.0` requiring `@rspack/core@^2.0.0-0` while `@rspack/core` latest was still `1.7.11`. SWC dependency pins match Shakapacker's own version constraints. Closes [Issue 3082](https://github.com/shakacode/react_on_rails/issues/3082). [PR 3083](https://github.com/shakacode/react_on_rails/pull/3083) by [ihabadham](https://github.com/ihabadham).
+
 ### [16.6.0.rc.1] - 2026-04-07
 
 #### Removed

react_on_rails/lib/generators/react_on_rails/js_dependency_manager.rb

@@ -52,44 +52,55 @@ module Generators
     # Include this module in generator classes and call setup_js_dependencies
     # to handle all JS dependency installation via package_json gem.
     module JsDependencyManager
+      # Third-party dependencies are pinned to ^major.0.0 ranges to prevent breaking
+      # changes from uncontrolled major version bumps (e.g., peer dependency conflicts)
+      # while still allowing minor/patch updates. Pre-1.0 packages are left bare since
+      # ^0.x ranges pin to the minor version, which is too narrow.
+      # Exception: SWC deps are pinned to match Shakapacker's own version constraints
+      # (swc-loader@^0.2.0 is pre-1.0 but deliberately pinned for Shakapacker compat).
+      #
+      # Update these pins deliberately when adopting a new major version.
+
       # Core React dependencies required for React on Rails
       # Note: @babel/preset-react is handled separately in BABEL_REACT_DEPENDENCIES
       # and is added only when SWC is not the active transpiler.
       REACT_DEPENDENCIES = %w[
-        react
-        react-dom
-        prop-types
+        react@^19.0.0
+        react-dom@^19.0.0
+        prop-types@^15.0.0
       ].freeze
 
       # Babel preset needed by the generated babel.config.js for non-SWC setups.
       BABEL_REACT_DEPENDENCIES = %w[
-        @babel/preset-react
+        @babel/preset-react@^7.0.0
       ].freeze
 
       # CSS processing dependencies for webpack
       CSS_DEPENDENCIES = %w[
-        css-loader
-        css-minimizer-webpack-plugin
-        mini-css-extract-plugin
-        style-loader
+        css-loader@^7.0.0
+        css-minimizer-webpack-plugin@^8.0.0
+        mini-css-extract-plugin@^2.0.0
+        style-loader@^4.0.0
       ].freeze
 
       # Development-only dependencies for hot reloading (Webpack)
+      # Both packages are pre-1.0, so left bare (see pinning note above).
       DEV_DEPENDENCIES = %w[
         @pmmmwh/react-refresh-webpack-plugin
         react-refresh
       ].freeze
 
       # Rspack core dependencies (only installed when --rspack flag is used)
       RSPACK_DEPENDENCIES = %w[
-        @rspack/core
-        rspack-manifest-plugin
+        @rspack/core@^1.0.0
+        rspack-manifest-plugin@^5.0.0
       ].freeze
 
       # Rspack development dependencies for hot reloading
+      # react-refresh is pre-1.0, so left bare (see pinning note above).
       RSPACK_DEV_DEPENDENCIES = %w[
-        @rspack/cli
-        @rspack/plugin-react-refresh
+        @rspack/cli@^1.0.0
+        @rspack/plugin-react-refresh@^1.0.0
         react-refresh
       ].freeze
 
@@ -100,16 +111,17 @@ module JsDependencyManager
       # - If users choose javascript_transpiler: 'babel', they should manually add @babel/preset-typescript
       #   and configure it in their babel.config.js
       TYPESCRIPT_DEPENDENCIES = %w[
-        typescript
-        @types/react
-        @types/react-dom
+        typescript@^6.0.0
+        @types/react@^19.0.0
+        @types/react-dom@^19.0.0
       ].freeze
 
       # SWC transpiler dependencies (for Shakapacker 9.3.0+ default transpiler)
       # SWC is ~20x faster than Babel and is the default for new Shakapacker installations
+      # Version ranges match Shakapacker's own constraints.
       SWC_DEPENDENCIES = %w[
-        @swc/core
-        swc-loader
+        @swc/core@^1.3.0
+        swc-loader@^0.2.0
       ].freeze
 
       # React on Rails Pro dependencies (only installed when --pro or --rsc flag is used)
@@ -222,7 +234,8 @@ def add_react_dependencies
         # RSC requires React 19.0.x specifically (not 19.1.x or later)
         # Pin to ~19.0.4 to allow patch updates while staying within 19.0.x
         react_deps = if respond_to?(:use_rsc?) && use_rsc?
-                       ["react@#{RSC_REACT_VERSION_RANGE}", "react-dom@#{RSC_REACT_VERSION_RANGE}", "prop-types"]
+                       ["react@#{RSC_REACT_VERSION_RANGE}", "react-dom@#{RSC_REACT_VERSION_RANGE}",
+                        "prop-types@^15.0.0"]
                      else
                        REACT_DEPENDENCIES
                      end

react_on_rails/lib/generators/react_on_rails/templates/base/base/bin/switch-bundler

@@ -6,14 +6,17 @@ require "json"
 
 # Script to switch between webpack and rspack bundlers
 class BundlerSwitcher
+  # Pinned to ^major.0.0 to prevent peer dependency conflicts from major version bumps.
+  # Pre-1.0 packages are left bare since ^0.x pins to the minor version.
+  # webpack-cli pinned to ^6 (not ^7) to stay within Shakapacker's supported peer range.
   WEBPACK_DEPS = {
-    dependencies: %w[webpack webpack-assets-manifest webpack-merge],
-    dev_dependencies: %w[webpack-cli webpack-dev-server @pmmmwh/react-refresh-webpack-plugin]
+    dependencies: %w[webpack@^5.0.0 webpack-assets-manifest@^6.0.0 webpack-merge@^6.0.0],
+    dev_dependencies: %w[webpack-cli@^6.0.0 webpack-dev-server@^5.0.0 @pmmmwh/react-refresh-webpack-plugin]
   }.freeze
 
   RSPACK_DEPS = {
-    dependencies: %w[@rspack/core rspack-manifest-plugin],
-    dev_dependencies: %w[@rspack/cli @rspack/plugin-react-refresh]
+    dependencies: %w[@rspack/core@^1.0.0 rspack-manifest-plugin@^5.0.0],
+    dev_dependencies: %w[@rspack/cli@^1.0.0 @rspack/plugin-react-refresh@^1.0.0]
   }.freeze
 
   def initialize(target_bundler)
@@ -83,11 +86,14 @@ class BundlerSwitcher
     remove_deps = @target_bundler == "rspack" ? WEBPACK_DEPS : RSPACK_DEPS
 
     # Remove old bundler dependencies
+    # Strip version suffix (e.g., "webpack@^5.0.0" -> "webpack") since package.json keys are bare names.
+    # The regex handles scoped (@scope/name@ver) and unscoped (name@ver) packages, and is a no-op for
+    # bare names without a version suffix (e.g., "@pmmmwh/react-refresh-webpack-plugin" stays unchanged).
     remove_deps[:dependencies].each do |dep|
-      package_json["dependencies"]&.delete(dep)
+      package_json["dependencies"]&.delete(dep[%r{\A(@[^/]+/[^@]+|[^@]+)}])
     end
     remove_deps[:dev_dependencies].each do |dep|
-      package_json["devDependencies"]&.delete(dep)
+      package_json["devDependencies"]&.delete(dep[%r{\A(@[^/]+/[^@]+|[^@]+)}])
     end
 
     puts "✅ Removed #{@target_bundler == 'rspack' ? 'webpack' : 'rspack'} dependencies"

react_on_rails/spec/react_on_rails/generators/install_generator_spec.rb

@@ -664,6 +664,16 @@ class ActiveSupport::TestCase
       end
     end
 
+    it "switch-bundler has version-pinned deps and strips versions before deletion" do
+      assert_file "bin/switch-bundler" do |content|
+        # Version pins are present in the constants
+        expect(content).to include("@rspack/core@^1.0.0")
+        expect(content).to include("webpack@^5.0.0")
+        # Version-stripping regex is used for package.json key deletion
+        expect(content).to include('dep[%r{\A(@[^/]+/[^@]+|[^@]+)}]')
+      end
+    end
+
     it "installs rspack dependencies in package.json" do
       assert_file "package.json" do |content|
         package_json = JSON.parse(content)