Skip to content

Allow artifact verifier to accept covering root peer ranges#95

Merged
justin808 merged 1 commit into
mainfrom
jg-codex/fix-artifact-peer-range
Jun 12, 2026
Merged

Allow artifact verifier to accept covering root peer ranges#95
justin808 merged 1 commit into
mainfrom
jg-codex/fix-artifact-peer-range

Conversation

@justin808

@justin808 justin808 commented Jun 12, 2026

Copy link
Copy Markdown
Member

Summary

Fixes the artifact verification gate after #86 updated the vendored react-server-dom-webpack runtime to 19.0.7 while intentionally leaving the public root React peers at ^19.0.4.

The verifier now:

  • requires the root React and React DOM peer ranges to be caret ranges that include the vendored runtime version
  • still requires the vendored runtime package peers to match the exact runtime version policy

Merge Criteria

  • Full GitHub check list is green, not only required checks
  • Review threads are resolved or explicitly triaged
  • mergeStateStatus is CLEAN / mergeable is MERGEABLE
  • This PR restores the artifact gate on current main; it performs no publish, tag, release, or registry mutation

Verification

  • yarn install --frozen-lockfile
  • yarn verify:artifacts
  • yarn build
  • git diff --check

Fixes the red artifact-checks gate introduced by the #77/#86 interaction.


Note

Low Risk
Only release/CI verification logic in verify-release.sh changes; no runtime, publish, or consumer install behavior is modified.

Overview
Relaxes root peer version checks in the artifact verifier so react and react-dom no longer must equal ^${vendoredRuntimeVersion} exactly. They must still be caret X.Y.Z ranges on the same major whose minimum is not above the vendored runtime (e.g. ^19.0.4 passes when the bundle ships 19.0.7).

Vendored runtime peer policy is unchanged: the embedded react-server-dom-webpack package still must declare peers exactly ^${runtimeVersion}, and the development bundle must still embed matching version / reconcilerVersion markers. The success log now states that the runtime is covered by root peers and aligned with runtime peers.

Reviewed by Cursor Bugbot for commit 5615b2f. Bugbot is set up for automated code reviews on this repo. Configure here.

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@justin808, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fed0fd6a-0b3e-4b69-aa08-29a73e78226d

📥 Commits

Reviewing files that changed from the base of the PR and between 888d8ef and 5615b2f.

📒 Files selected for processing (1)
  • scripts/verify-release.sh
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jg-codex/fix-artifact-peer-range

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@claude

claude Bot commented Jun 12, 2026

Copy link
Copy Markdown

Code Review

Overview

This PR relaxes the artifact-verification gate in scripts/verify-release.sh so that root react/react-dom peer dependencies no longer need to equal the exact vendored runtime version as a caret range (^19.0.7), but only need to be a caret range whose minimum is on the same major and does not exceed the runtime version (e.g. ^19.0.4 passes when the bundle ships 19.0.7). The vendored runtime package's own peer declarations are unchanged — they still must equal ^${runtimeVersion} exactly.

Assessment: Approve with minor notes

The logic is correct and the fix is minimal and well-scoped. A few observations:

Correctness

Minor: 0.x.y caret range semantics not modelled

npm's caret range has narrower semantics for pre-1.0 packages:

  • ^0.2.3 := >=0.2.3 <0.3.0 (minor-locked, not major-locked)
  • ^0.0.3 := >=0.0.3 <0.0.4 (patch-locked)

The current implementation treats any same-major caret range as open through the next major, so it would wrongly accept ^0.1.0 as covering 0.2.3. This is a latent issue only — React is at v19 and this verifier is specific to this repo — but worth noting for awareness.

Style nit: unreachable error path in parseVersion

parseVersion(match[1], label) is called after match[1] is already guaranteed to be \d+\.\d+\.\d+ by the outer regex, so the parse can never fail there. No functional issue.

The success log message is improved — mentioning both root-peer coverage and runtime-peer alignment is clearer than the old single-dimension message.

No security, performance, or test-coverage concerns for a CI-only shell script.

@greptile-apps

greptile-apps Bot commented Jun 12, 2026

Copy link
Copy Markdown

Greptile Summary

This PR relaxes the artifact verification gate for the root package's react and react-dom peer dependency ranges. Previously, both the root peers and the vendored runtime peers were required to match the exact caret string derived from the runtime version (e.g., ^19.0.7); this caused CI failures when the public root peers were intentionally pinned at a broader range (e.g., ^19.0.4) after the vendored runtime was bumped to 19.0.7.

  • Introduces parseVersion, compareVersions, and assertCaretRangeIncludesVersion helpers inside the inline Node.js heredoc to verify that root peers are a caret range whose minimum is ≤ the runtime version and shares the same major.
  • The vendored runtime package's own peer declarations retain the stricter assertEqual check, keeping the two-tier peer policy intact.

Confidence Score: 5/5

The change is scoped entirely to an offline verification script; it cannot affect the published package or runtime behavior.

The three helper functions (parseVersion, compareVersions, assertCaretRangeIncludesVersion) are self-contained and cover all edge cases: undefined/non-caret ranges are rejected, cross-major ranges are rejected, and ranges whose lower bound exceeds the runtime version are rejected. The implicit upper-bound coverage is logically sound for React 19+. The stricter assertEqual path for the vendored runtime's own peers is preserved.

No files require special attention.

Important Files Changed

Filename Overview
scripts/verify-release.sh Replaces strict equality checks on root peer dependency ranges with a new assertCaretRangeIncludesVersion function that allows any caret range whose lower bound is ≤ the vendored runtime version and shares the same major; runtime package peers retain the exact-match check.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Read dist/react-server-dom-webpack/package.json] --> B[runtimeVersion = pkg.version
expectedPeerRange = '^' + runtimeVersion]
    B --> C{assertCaretRangeIncludesVersion
root react peer}
    C -->|range is not ^X.Y.Z| E[throw – not a caret range]
    C -->|minimum.major ≠ target.major| F[throw – wrong major]
    C -->|minimum > target| G[throw – range starts after runtime]
    C -->|pass| H{assertCaretRangeIncludesVersion
root react-dom peer}
    H -->|fail| I[throw]
    H -->|pass| J{assertEqual
runtime peerDependencies.react
== expectedPeerRange}
    J -->|mismatch| K[throw]
    J -->|match| L{assertEqual
runtime peerDependencies.react-dom
== expectedPeerRange}
    L -->|mismatch| M[throw]
    L -->|match| N[Check version markers in development bundle]
    N -->|missing| O[throw]
    N -->|found| P[log success]
Loading

Reviews (1): Last reviewed commit: "Allow root peers to cover vendored runti..." | Re-trigger Greptile

Comment thread scripts/verify-release.sh
Comment thread scripts/verify-release.sh
@justin808 justin808 merged commit 48993d4 into main Jun 12, 2026
16 checks passed
justin808 added a commit that referenced this pull request Jun 12, 2026
* origin/main:
  Allow artifact verifier to accept covering root peer ranges (#95)
justin808 added a commit that referenced this pull request Jun 12, 2026
…h-tests

* origin/main:
  Allow artifact verifier to accept covering root peer ranges (#95)
justin808 added a commit that referenced this pull request Jun 12, 2026
…atrix

* origin/main:
  Allow artifact verifier to accept covering root peer ranges (#95)
  Add release artifact verification gate (#77)
  Apply React 19.0.7 RSC reply-decode DoS fixes (CVE-2026-23869, CVE-2026-23870) to vendored runtime (#86)
  Harden dependency and Claude automation (#76)
justin808 added a commit that referenced this pull request Jun 12, 2026
* origin/main:
  Add compatibility matrix and canary signal (#83)
  Document runtime versioning policy and live backlog pointers (#79)
  Add Flight client error path coverage (#78)
  Document release dist-tag policy and artifact parity checks (#75)
  Allow artifact verifier to accept covering root peer ranges (#95)
  Add release artifact verification gate (#77)
  Apply React 19.0.7 RSC reply-decode DoS fixes (CVE-2026-23869, CVE-2026-23870) to vendored runtime (#86)
  Harden dependency and Claude automation (#76)
  Make PR skill workflows discoverable (#88)
  Extract and own the webpack RSC plugin as TypeScript source (#87)
  Add packed-tarball E2E pipeline suite: webpack+rspack → Flight → SSR HTML → hydration (#85)
  Docs: Option 5 stock npm runtime go/no-go decision (#55 spike) (#80)

# Conflicts:
#	docs/releasing.md
justin808 added a commit that referenced this pull request Jun 13, 2026
…ase-motion

* origin/main:
  Release from GitHub Actions with trusted publishing (#84)
  Add Claude agent setup and workflow skill stubs (#82)
  Add compatibility matrix and canary signal (#83)
  Document runtime versioning policy and live backlog pointers (#79)
  Add Flight client error path coverage (#78)
  Document release dist-tag policy and artifact parity checks (#75)
  Allow artifact verifier to accept covering root peer ranges (#95)
  Add release artifact verification gate (#77)
  Apply React 19.0.7 RSC reply-decode DoS fixes (CVE-2026-23869, CVE-2026-23870) to vendored runtime (#86)
  Harden dependency and Claude automation (#76)
  Make PR skill workflows discoverable (#88)
  Extract and own the webpack RSC plugin as TypeScript source (#87)
  Add packed-tarball E2E pipeline suite: webpack+rspack → Flight → SSR HTML → hydration (#85)
  Docs: Option 5 stock npm runtime go/no-go decision (#55 spike) (#80)

# Conflicts:
#	CHANGELOG.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant