Allow artifact verifier to accept covering root peer ranges#95
Conversation
|
Warning Review limit reached
More reviews will be available in 49 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Code ReviewOverviewThis PR relaxes the artifact-verification gate in Assessment: Approve with minor notesThe logic is correct and the fix is minimal and well-scoped. A few observations: Correctness
Minor: 0.x.y caret range semantics not modelled npm's caret range has narrower semantics for pre-1.0 packages:
The current implementation treats any same-major caret range as open through the next major, so it would wrongly accept Style nit: unreachable error path in
The success log message is improved — mentioning both root-peer coverage and runtime-peer alignment is clearer than the old single-dimension message. No security, performance, or test-coverage concerns for a CI-only shell script. |
Greptile SummaryThis PR relaxes the artifact verification gate for the root package's
Confidence Score: 5/5The change is scoped entirely to an offline verification script; it cannot affect the published package or runtime behavior. The three helper functions (parseVersion, compareVersions, assertCaretRangeIncludesVersion) are self-contained and cover all edge cases: undefined/non-caret ranges are rejected, cross-major ranges are rejected, and ranges whose lower bound exceeds the runtime version are rejected. The implicit upper-bound coverage is logically sound for React 19+. The stricter assertEqual path for the vendored runtime's own peers is preserved. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Read dist/react-server-dom-webpack/package.json] --> B[runtimeVersion = pkg.version
expectedPeerRange = '^' + runtimeVersion]
B --> C{assertCaretRangeIncludesVersion
root react peer}
C -->|range is not ^X.Y.Z| E[throw – not a caret range]
C -->|minimum.major ≠ target.major| F[throw – wrong major]
C -->|minimum > target| G[throw – range starts after runtime]
C -->|pass| H{assertCaretRangeIncludesVersion
root react-dom peer}
H -->|fail| I[throw]
H -->|pass| J{assertEqual
runtime peerDependencies.react
== expectedPeerRange}
J -->|mismatch| K[throw]
J -->|match| L{assertEqual
runtime peerDependencies.react-dom
== expectedPeerRange}
L -->|mismatch| M[throw]
L -->|match| N[Check version markers in development bundle]
N -->|missing| O[throw]
N -->|found| P[log success]
Reviews (1): Last reviewed commit: "Allow root peers to cover vendored runti..." | Re-trigger Greptile |
* origin/main: Allow artifact verifier to accept covering root peer ranges (#95)
…h-tests * origin/main: Allow artifact verifier to accept covering root peer ranges (#95)
…atrix * origin/main: Allow artifact verifier to accept covering root peer ranges (#95) Add release artifact verification gate (#77) Apply React 19.0.7 RSC reply-decode DoS fixes (CVE-2026-23869, CVE-2026-23870) to vendored runtime (#86) Harden dependency and Claude automation (#76)
* origin/main: Add compatibility matrix and canary signal (#83) Document runtime versioning policy and live backlog pointers (#79) Add Flight client error path coverage (#78) Document release dist-tag policy and artifact parity checks (#75) Allow artifact verifier to accept covering root peer ranges (#95) Add release artifact verification gate (#77) Apply React 19.0.7 RSC reply-decode DoS fixes (CVE-2026-23869, CVE-2026-23870) to vendored runtime (#86) Harden dependency and Claude automation (#76) Make PR skill workflows discoverable (#88) Extract and own the webpack RSC plugin as TypeScript source (#87) Add packed-tarball E2E pipeline suite: webpack+rspack → Flight → SSR HTML → hydration (#85) Docs: Option 5 stock npm runtime go/no-go decision (#55 spike) (#80) # Conflicts: # docs/releasing.md
…ase-motion * origin/main: Release from GitHub Actions with trusted publishing (#84) Add Claude agent setup and workflow skill stubs (#82) Add compatibility matrix and canary signal (#83) Document runtime versioning policy and live backlog pointers (#79) Add Flight client error path coverage (#78) Document release dist-tag policy and artifact parity checks (#75) Allow artifact verifier to accept covering root peer ranges (#95) Add release artifact verification gate (#77) Apply React 19.0.7 RSC reply-decode DoS fixes (CVE-2026-23869, CVE-2026-23870) to vendored runtime (#86) Harden dependency and Claude automation (#76) Make PR skill workflows discoverable (#88) Extract and own the webpack RSC plugin as TypeScript source (#87) Add packed-tarball E2E pipeline suite: webpack+rspack → Flight → SSR HTML → hydration (#85) Docs: Option 5 stock npm runtime go/no-go decision (#55 spike) (#80) # Conflicts: # CHANGELOG.md
Summary
Fixes the artifact verification gate after #86 updated the vendored react-server-dom-webpack runtime to 19.0.7 while intentionally leaving the public root React peers at ^19.0.4.
The verifier now:
Merge Criteria
Verification
Fixes the red artifact-checks gate introduced by the #77/#86 interaction.
Note
Low Risk
Only release/CI verification logic in
verify-release.shchanges; no runtime, publish, or consumer install behavior is modified.Overview
Relaxes root peer version checks in the artifact verifier so
reactandreact-domno longer must equal^${vendoredRuntimeVersion}exactly. They must still be caretX.Y.Zranges on the same major whose minimum is not above the vendored runtime (e.g.^19.0.4passes when the bundle ships19.0.7).Vendored runtime peer policy is unchanged: the embedded
react-server-dom-webpackpackage still must declare peers exactly^${runtimeVersion}, and the development bundle must still embed matchingversion/reconcilerVersionmarkers. The success log now states that the runtime is covered by root peers and aligned with runtime peers.Reviewed by Cursor Bugbot for commit 5615b2f. Bugbot is set up for automated code reviews on this repo. Configure here.