fix: allow webpack-dev-server v6

[G-Rath]

Summary

This version will be released in the next week or so, and importantly enables addressing GHSA-w5hq-g745-h8pq

The migration docs are here - I don't think any of the breaking changes require any changes to Shakapacker

Pull Request checklist

• Add/update test to cover these changes
• Update documentation
• Update CHANGELOG file

Other Information

Summary by CodeRabbit

• Documentation

  • Updated peer dependency documentation to reflect expanded webpack-dev-server version support.

• Chores

  • Extended webpack-dev-server compatibility to support both major version 5 (5.2.2+) and version 6 (6.0.0+), providing greater flexibility in dependency management.

[coderabbitai]

Walkthrough

This PR expands webpack-dev-server peer dependency support from version ^5.2.2 to include version ^6.0.0. The same version range change is applied consistently across the main package.json peer dependencies, the installation package config, and the peer dependency documentation.

Changes

webpack-dev-server v6 Support

Layer / File(s)	Summary
Expand webpack-dev-server version range to v5 and v6 package.json, lib/install/package.json, docs/peer-dependencies.md	peerDependencies.webpack-dev-server version range updated from ^5.2.2 to `^5.2.2

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A webpack-dev-server springs anew,
From version five to version two—
Six zero oh, we're ready to go,
Shakapacker's roots will brightly show! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main objective of the pull request: enabling support for webpack-dev-server v6.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR widens the webpack-dev-server peer dependency range from ^5.2.2 to ^5.2.2 || ^6.0.0 in three places (package.json, lib/install/package.json, and docs/peer-dependencies.md), unblocking users who want to adopt v6 and the security fix it addresses.

• All three files are updated consistently and the change is minimal and correct.
• No code changes to Shakapacker's runtime webpack-dev-server usage are required, as the v6 breaking changes (per the linked migration guide) don't affect Shakapacker's invocation paths.
• The CHANGELOG is not updated despite the project's convention that peer dependency range widening is a user-visible fix that warrants an entry.

Confidence Score: 4/5

Safe to merge — the change is a one-line peer dependency range widening applied consistently across all three relevant files, with no runtime code touched.

The dependency range update is correct and consistent. The only gap is a missing CHANGELOG entry that the project's own conventions require for user-visible fixes like this one.

CHANGELOG.md should receive an entry under the Unreleased section before merging.

Important Files Changed

Filename	Overview
package.json	Widens webpack-dev-server peer dependency from ^5.2.2 to `^5.2.2
lib/install/package.json	Mirrors the same peer dependency widening for new project installs; change is consistent with package.json.
docs/peer-dependencies.md	Documentation updated to reflect the new supported range; consistent with the code changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Shakapacker 10.x] --> B{webpack-dev-server version?}
    B -->|v5.2.2 and above| C[Supported before this PR]
    B -->|v6.0.0 and above| D[Newly supported by this PR]
    B -->|v4.x or older| E[Not supported]
    C --> F[peerDependencies range updated]
    D --> F

Loading

_{Reviews (1): Last reviewed commit: "fix: allow `webpack-dev-server` v6" | Re-trigger Greptile}

[justin808]

@G-Rath I asked copilot about the failing CI:

The failure is happening during the generator install step itself, not in the assertions afterward. The common failing point is the shell command launched from spec/generator_specs/generator_spec.rb:67-69, 253-255, 358-360, and 397-399, all of which call:

• bundle exec rake shakapacker:install
• with env like USE_BABEL_PACKAGES=true or JAVASCRIPT_TRANSPILER=babel

That command is executed through Shakapacker::Utils::Misc.sh_in_dir in lib/shakapacker/utils/misc.rb, which only reports a generic shell failure, so the real issue is upstream in the install behavior.

Most likely root cause

The failures line up with the PR’s new Babel-related expectations:

• spec/generator_specs/generator_spec.rb:110-118 expects config/shakapacker.yml to switch from "swc" to "babel" when USE_BABEL_PACKAGES=true
• spec/generator_specs/generator_spec.rb:200-217 now expects both Babel and SWC deps when USE_BABEL_PACKAGES=true
• spec/generator_specs/generator_spec.rb:388-427 expects JAVASCRIPT_TRANSPILER=babel to install Babel deps, exclude SWC deps, and write javascript_transpiler: "babel"

Because 63 examples fail across npm/pnpm/bun/TypeScript/auto-detect cases, this strongly suggests the installer now writes or validates package/config state inconsistently and aborts early for all variants.

Focused solution

Fix the installer so transpiler selection is centralized and consistent:

1. Compute transpiler mode once

In the install code, derive one value from env/options:

transpiler =
  if ENV["JAVASCRIPT_TRANSPILER"] == "babel"
    "babel"
  elsif Shakapacker::Utils::Misc.object_to_boolean(ENV["USE_BABEL_PACKAGES"])
    "babel"
  else
    "swc"
  end

Use that same value everywhere:

• package dependency selection
• config/shakapacker.yml
• JS/TS config template generation

2. Separate “runtime transpiler” from “installed compatibility packages”

Based on the spec:

• USE_BABEL_PACKAGES=true

  • runtime config should be babel
  • install Babel packages
  • keep SWC packages too

• JAVASCRIPT_TRANSPILER=babel

  • runtime config should be babel
  • install Babel packages
  • do not install SWC packages

That means the dependency logic should look more like:

use_babel_packages = Shakapacker::Utils::Misc.object_to_boolean(ENV["USE_BABEL_PACKAGES"])
babel_only = ENV["JAVASCRIPT_TRANSPILER"] == "babel"

dependencies = base_dependencies.dup
dependencies.merge!(babel_dependencies) if use_babel_packages || babel_only
dependencies.merge!(swc_dependencies) unless babel_only

3. Update config/shakapacker.yml from the same decision

The install step must replace the transpiler line deterministically:

config = File.read(config_path)
config.gsub!('javascript_transpiler: "swc"', %(javascript_transpiler: "#{transpiler}"))
File.write(config_path, config)

This directly addresses the failures asserted at:

• spec/generator_specs/generator_spec.rb:110-118
• spec/generator_specs/generator_spec.rb:422-426

4. Ensure install code does not raise when package manager metadata is updated

The workflow runs on Node 20 in .github/workflows/generator.yml:69-86, and the generator specs run across npm/yarn/pnpm/bun. Since all managers fail, avoid manager-specific mutation during install unless required. In particular:

• write packageManager safely if missing
• don’t assume lockfile state
• don’t require a package install side effect before writing config files

Suggested code shape

If the install code currently has scattered conditionals, refactor to helpers like:

def transpiler
  return "babel" if ENV["JAVASCRIPT_TRANSPILER"] == "babel"
  return "babel" if Shakapacker::Utils::Misc.object_to_boolean(ENV["USE_BABEL_PACKAGES"])

  "swc"
end

def install_babel?
  transpiler == "babel"
end

def install_swc?
  ENV["JAVASCRIPT_TRANSPILER"] != "babel"
end

And then:

deps.merge!(babel_dependencies) if install_babel?
deps.merge!(swc_dependencies) if install_swc?
update_shakapacker_yml(transpiler)

Why this should fix the job

This matches the exact expectations in the failing spec file and explains why the entire generator matrix is collapsing:

• one bad installer path
• exercised by every app setup
• causing bundle exec rake shakapacker:install to exit 1 before assertions run

So the solution is to fix the install implementation to consistently honor:

• USE_BABEL_PACKAGES=true => Babel config + Babel deps + SWC deps
• JAVASCRIPT_TRANSPILER=babel => Babel config + Babel deps only

The key failing references are:

• workflow job definition: .github/workflows/generator.yml
• failing spec entrypoint: spec/generator_specs/generator_spec.rb
• shell execution wrapper: lib/shakapacker/utils/misc.rb#L31-L33

If you want a minimal patch, the safest fix is: centralize transpiler selection, make dependency installation conditional as above, and update config/shakapacker.yml from the same single source of truth.

No — this problem is not on main.

PR #1102 is still open and targets main, with:

• base branch: main at 46cc1056d31d25e3269afb6864c5a7065f6aef89
• head branch: support-webpack-dev-server-v6 at 503e7aa1df025e168b3962f837c66fe4fda426de

The failing job you asked about ran on the PR head commit 503e7aa1df025e168b3962f837c66fe4fda426de, not on main.

Also, the PR only changes 3 files, all related to widening the webpack-dev-server version range:

• package.json
• lib/install/package.json
• docs/peer-dependencies.md

So the generator-spec failure is happening on the PR branch/merge context, and it does not appear to be a failure already present on main.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 123: The peerDependencies entry for "webpack-dev-server" lists a
non-existent v6 range ("^5.2.2 || ^6.0.0"); update the package.json
peerDependencies so the "webpack-dev-server" range only includes valid released
versions (remove the "|| ^6.0.0" portion), e.g., change the value to "^5.2.2"
(or to a single valid v5 range such as "^5.2.2" or a bumped v5 like "^5.2.4" if
you want to target the latest patch).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cacd7101-6b82-4290-8708-0801cc39152a

📥 Commits

Reviewing files that changed from the base of the PR and between 46cc105 and 503e7aa.

📒 Files selected for processing (3)

• docs/peer-dependencies.md
• lib/install/package.json
• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify webpack-dev-server v6 availability and security status

# Check available versions on npm
echo "=== Checking webpack-dev-server versions on npm ==="
curl -s https://registry.npmjs.org/webpack-dev-server | jq -r '.versions | keys[] | select(startswith("6."))' | head -10

echo -e "\n=== Checking latest version ==="
curl -s https://registry.npmjs.org/webpack-dev-server/latest | jq -r '.version'

echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: NPM, package: "webpack-dev-server") {
    nodes {
      advisory {
        ghsaId
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: shakacode/shakapacker

Length of output: 1097

---

🌐 Web query:

webpack-dev-server v6 migration guide breaking changes

💡 Result:

As of May 16, 2026, webpack-dev-server has not released a version 6.0.0 [1][2]. The current stable version is in the 5.x series (specifically 5.2.4, released May 11, 2026) [2]. Because no v6 release exists, there is no official migration guide for it. If you are looking to migrate to the latest version, you should refer to the migration guide for v5.0.0 [3][1]. Key breaking changes introduced in the v5.0.0 release include: - Minimum Node.js version: 18.12.0 [3]. - Minimum webpack version: 5.0.0 [3]. - Server configuration: The http2 and https options were removed in favor of a unified server option [3]. - Middleware: onAfterSetupMiddleware and onBeforeSetupMiddleware were replaced by setupMiddlewares [3]. - Proxy: The proxy option now requires an array [3]. - CLI options: --open-app was replaced by --open-app-name, and --web-socket-server was replaced by --web-socket-server-type [3]. - Environment variables: The WEBPACK_SERVE environment variable value changed from a boolean true to the string 'true' [3]. - API changes: The constructor arguments were updated (first argument is options, second is compiler), and the listen method was replaced by async start or startCallback methods [3]. For detailed instructions on upgrading to the current stable version, consult the official migration-v5.md document in the webpack-dev-server GitHub repository [3].

Citations:

• 1: https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md
• 2: https://www.npmjs.com/package/webpack-dev-server
• 3: https://github.com/webpack/webpack-dev-server/blob/main/migration-v5.md

---

Remove non-existent webpack-dev-server v6 from peer dependency range.

The peer dependency range specifies ^6.0.0, but webpack-dev-server v6 has not been released on npm. The current latest version is 5.2.4. Remove ^6.0.0 from the OR clause so the range reflects only available versions (e.g., ^5.2.2).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 123, The peerDependencies entry for
"webpack-dev-server" lists a non-existent v6 range ("^5.2.2 || ^6.0.0"); update
the package.json peerDependencies so the "webpack-dev-server" range only
includes valid released versions (remove the "|| ^6.0.0" portion), e.g., change
the value to "^5.2.2" (or to a single valid v5 range such as "^5.2.2" or a
bumped v5 like "^5.2.4" if you want to target the latest patch).

[G-Rath]

@justin808 I expect the failures are because CI attempts to install the latest package version possible for peer dependencies, and webpack-dev-server v6 has not yet been published:

If you want to land this now, then probably easiest solution would be to have CI special case webpack-dev-server to install v5