Supersede #905: all-builds validation fix with lint unblock

[justin808]

Supersedes #905. Closes #782.

Summary

• carry forward the runAllBuildsCommand validation fixes from Validate all-builds path and annotate format options #905
  • save-dir path validation via safeResolvePath
  • annotate+format validation parity with run()
• include .prettierignore update for Claude workflow files (from Ignore Claude workflow files in Prettier checks #908) so Node lint is not blocked by unrelated workflow formatting

Validation

• yarn test test/package/configExporter.test.js

---

Note

Medium Risk
Touches release automation, installer conflict handling, and process execution/manifest logic; while well-tested, these paths are user-facing and can impact publishing and developer workflows if edge cases are missed.

Overview
This release bumps Shakapacker to v9.6.0, stamps a new CHANGELOG.md section, and updates release documentation to make changelog-first releases the default (including correct prerelease header formats).

Release automation is significantly expanded in rakelib/release.rake: create_release can now infer the target version from CHANGELOG.md, performs stricter version/tag policy validation (with an explicit override), runs dry runs in a temporary git worktree, refreshes dummy app lockfiles, and automatically creates/updates the matching GitHub release via gh.

Installer behavior is hardened and made more CI-friendly: adds SKIP=true mode (and unified truthy parsing) to preserve existing files, fixes transpiler config updates and Babel-only installs, and ensures package.json retains the exact shakapacker dependency source/version requested. Dev server defaults no longer ship permissive CORS headers (users must opt in), entrypoint discovery now ignores dotfiles, and manifest handling/error messages are improved (including avoiding ENOENT for webpack-assets-manifest merge mode).

Node/package-facing improvements include new bundler-agnostic exports (getBundler, getCssExtractPlugin*, get*Plugin, isWebpack/isRspack) with typings/docs, extra validation in config exporter all-builds mode, and routing log output to stderr when --json is requested to keep stdout valid JSON. CI/workflows are updated for Claude tooling permissions/tooling, and dependency constraints are updated (e.g., allow compression-webpack-plugin v12).

^{Written by Cursor Bugbot for commit d8b6e9f. Configure here.}

Summary by CodeRabbit

• Bug Fixes

  • Enforced YAML when using annotations with build exports.
  • Added security checks to prevent path traversal in export save paths.

• Tests

  • Added tests covering annotation format validation and path traversal rejection.

• Documentation

  • Reflowed and aligned tables in the Node package API docs.

• Chores

  • Added a GitHub authentication preflight for releases and updated workflow checkout step.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 615049a1-1226-438f-a8c9-be67097c2aa3

📥 Commits

Reviewing files that changed from the base of the PR and between 1985635 and fe15136.

📒 Files selected for processing (6)

• .github/workflows/claude-code-review.yml
• docs/node_package_api.md
• lib/shakapacker/runner.rb
• package/configExporter/cli.ts
• rakelib/release.rake
• test/package/configExporter.test.js

✅ Files skipped from review due to trivial changes (2)

• lib/shakapacker/runner.rb
• docs/node_package_api.md

🚧 Files skipped from review as they are similar to previous changes (3)

• package/configExporter/cli.ts
• test/package/configExporter.test.js
• rakelib/release.rake

---

Walkthrough

Adds runtime validations to the config exporter CLI (save-dir path safety and annotate+format compatibility), adds tests for those validations, inserts a GitHub auth check into the release preflight, reformats a docs table, and updates a CI checkout version and a small comment in runner.rb.

Changes

Cohort / File(s)	Summary
Documentation Formatting docs/node_package_api.md	Reflowed and realigned the Webpack/Rspack exports table; removed a trailing blank line.
CLI Validations package/configExporter/cli.ts	In runAllBuildsCommand added safeResolvePath(appRoot, resolvedOptions.saveDir) path-safety check and enforced that --annotate requires YAML format (throws on violation).
CLI Tests test/package/configExporter.test.js	Added two tests: reject --all-builds with --annotate + non-YAML --format, and reject --all-builds when --save-dir attempts path traversal.
Release Preflight rakelib/release.rake	Inserted verify_gh_auth(gem_root: gem_root) into perform_release preflight flow after NPM auth verification.
CI Workflow .github/workflows/claude-code-review.yml	Changed actions/checkout usage from @v6 to @v4 (fetch-depth remains 1).
Runner Comment lib/shakapacker/runner.rb	Added clarifying comment in TERM signal trap else-branch; no behavioral change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hopped through code with careful paws,
Checked each path and fixed the flaws.
YAML whispers, "Annotate true,"
Guards at the gates keep trespass from view.
Tests now hop along in tune—hooray, safe soon!

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes several out-of-scope changes unrelated to issue #782: version bumps, CHANGELOG updates, release automation (rakelib/release.rake), GitHub workflow version changes, installer hardening, and shell script comments. These extend far beyond the linked issue objectives.	Separate the core validation fixes for issue #782 (cli.ts, configExporter.test.js) from the broader release automation, installer, and workflow changes into dedicated PRs for clearer scope and review focus.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title references issue #905 which is being superseded, and mentions 'all-builds validation fix' which directly relates to the main changes in linked issue #782 (path and format validation for runAllBuildsCommand). However, it also mentions 'lint unblock' which is not clearly substantiated by the provided context.	The title partially matches the core changes but includes 'lint unblock' without clear corresponding changes in the diff. Consider clarifying whether this refers to the .prettierignore mention or provide more detail.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR implements the two primary Medium/Low priority objectives from issue #782: safeResolvePath validation for saveDir (cli.ts) and annotate/format compatibility check (cli.ts), with corresponding test coverage (configExporter.test.js). The lower-priority testability improvement (#3) appears partially addressed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/supersede-905-all-builds-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds missing security and input validation to runAllBuildsCommand() in the config exporter CLI, bringing it to parity with the run() function's existing validations. It also unblocks the Node linter by adding Claude workflow files to .prettierignore.

• Adds safeResolvePath() validation for --save-dir in --all-builds mode, preventing path traversal attacks that were already guarded against in other code paths
• Adds annotate/format combination validation in --all-builds mode, ensuring --annotate is only used with YAML format (matching run() behavior)
• Adds two new integration tests exercising these validations end-to-end through run()
• Adds .github/workflows/claude.yml and .github/workflows/claude-code-review.yml to .prettierignore to prevent lint failures from unformattable workflow files

Confidence Score: 5/5

• This PR is safe to merge — it adds missing validation guards and tests with no behavioral changes to existing code paths.
• The changes are minimal, well-scoped, and purely additive. The two new validation checks in runAllBuildsCommand() are exact copies of existing, proven validation logic in run(). Both new tests exercise the end-to-end flow and correctly verify error handling. The .prettierignore change is a harmless CI unblock. No existing behavior is modified.
• No files require special attention.

Important Files Changed

Filename	Overview
package/configExporter/cli.ts	Adds save-dir path traversal validation and annotate/format combination validation to runAllBuildsCommand(), mirroring existing checks in run(). Clean, minimal change.
test/package/configExporter.test.js	Adds two integration tests verifying annotate+format and path traversal validations work end-to-end through run() with --all-builds. Tests properly mock console.error and check return codes.
.prettierignore	Adds Claude workflow YAML files to prettierignore to prevent lint failures from unmodifiable workflow formatting.

Flowchart

flowchart TD
    A["run(args)"] --> B["parseArguments(args)"]
    B --> C{options.allBuilds?}
    C -->|Yes| D["runAllBuildsCommand(options)"]
    C -->|No| E["Continue to other handlers"]
    
    D --> F["findAppRoot() + setupNodePath()"]
    F --> G["applyDefaults(options)"]
    G --> H{"saveDir set?"}
    H -->|Yes| I["safeResolvePath(appRoot, saveDir)"]
    H -->|No| J{"annotate && format != yaml?"}
    I -->|Path outside root| K["Throw: Path traversal detected"]
    I -->|Valid| J
    J -->|Yes| L["Throw: Annotation requires YAML"]
    J -->|No| M["Load config + export builds"]
    
    K --> N["catch: console.error + return 1"]
    L --> N

    style I fill:#e6f3ff,stroke:#0066cc
    style J fill:#e6f3ff,stroke:#0066cc
    style K fill:#ffe6e6,stroke:#cc0000
    style L fill:#ffe6e6,stroke:#cc0000

Loading

_{Last reviewed commit: ebcfd0b}

[justin808]

@claude review this PR

[claude]

Code Review

Overall this is a well-structured PR. SIGTERM forwarding in Runner, the manifest LoadResult struct, the new bundler utility functions, and the security-safe CORS defaults are all solid improvements. The release automation expansion is substantial and generally well-done. A few issues to address:

Bug: actions/checkout@v6 does not exist. The latest stable is v4. This will break the Claude Code Review workflow on every PR. Should be reverted to @v4.

Bug: spec/dummy/package-lock.json has a yalc artifact committed. The lockfile contains a .yalc/shakapacker entry at version 9.6.0-rc.3, which is a local development artifact from yalc package linking. Only registry-published packages should appear in a committed lockfile.

Release automation: GitHub auth not checked during preflight. verify_gh_auth is only called inside sync_github_release_after_publish, which runs after both npm and RubyGems OTP prompts. A missing or misconfigured gh token is only discovered at the very end of a multi-minute interactive flow. Adding verify_gh_auth(gem_root: gem_root) to the existing unless dry_run preflight block alongside verify_npm_auth would surface this upfront.

Minor: SIGTERM race in Runner. Between trap(TERM) being installed and child_pid = spawn(...) returning, there is a narrow window where an incoming SIGTERM finds child_pid nil and raises SignalException instead of forwarding to the child. The window is tiny and the nil initialisation partially mitigates it, but a comment explaining the intent would help.

Minor: safeResolvePath result discarded in runAllBuildsCommand. The call is used only for its throw-on-invalid side effect. A brief inline comment clarifying this is intentional (not a no-op) would help future readers.

Nit: CHANGELOG beta-to-stable rename mixed into this PR. v9.3.4-beta.0 is renamed to v9.3.4 here. Per CLAUDE.md this kind of cleanup is better in its own PR.

[claude]

Bug: actions/checkout@v6 does not exist. The latest stable release is v4. Using @v6 here will cause the workflow to fail on every PR it runs on.

Suggested change

	uses: actions/checkout@v6
	uses: actions/checkout@v4

[claude]

Consider adding verify_gh_auth(gem_root: gem_root) here alongside verify_npm_auth. Currently GitHub auth is checked inside sync_github_release_after_publish, which runs after the npm and RubyGems OTP prompts. A missing or misconfigured gh token is only discovered at the very end of a multi-minute interactive flow, forcing the maintainer to run sync_github_release manually.

Suggested change

	verify_npm_auth
	verify_npm_auth
	verify_gh_auth(gem_root: gem_root)

[claude]

Bug: yalc development artifact in committed lockfile. The .yalc/shakapacker entry at 9.6.0-rc.3 is a local dev artifact produced by yalc for local package-link testing. It should not be committed — the lockfile should only reference registry-published packages. This entry will cause incorrect dependency resolution for anyone running npm install from the repo.

[claude]

There is a narrow race window here: the TERM trap is installed before child_pid is assigned, so a signal arriving between trap and the spawn return would hit the else branch and raise SignalException. child_pid is already initialised to nil, so the handler is logically correct once spawn completes — but it may be worth a comment explaining that the else path is the legitimate pre-spawn case, not an error state, to prevent someone later from removing the raise thinking it's unreachable.

[claude]

The return value of safeResolvePath is intentionally discarded here — it is called only to validate the path and throw on directory traversal, consistent with the same pattern in run(). A short comment would prevent future readers from treating this as dead code:

Suggested change

	safeResolvePath(appRoot, resolvedOptions.saveDir)
	// Validates for path traversal; throws on unsafe paths. Return value intentionally discarded.
	safeResolvePath(appRoot, resolvedOptions.saveDir)

[claude]

Nit: This if guard is always true in --all-builds mode. applyDefaults() unconditionally sets saveDir to DEFAULT_EXPORT_DIR whenever neither --stdout nor --output is present (lines ~450-456), and --all-builds never sets either of those flags.

The validation is still correct and harmless, but it reads as though saveDir might be absent here when it can't be. Either drop the guard and validate unconditionally, or add a comment clarifying that applyDefaults ensures it's always set — consistent with how the same // Set by applyDefaults comment is used on targetDir below.

[claude]

Review

The core fix is correct and well-targeted. run() routes to runAllBuildsCommand() before reaching its own validation block (lines 111-125), so --all-builds was silently skipping both the path-traversal check and the annotate/format parity check. Adding those validations directly inside runAllBuildsCommand() is the right approach.

Specific observations:

• if (resolvedOptions.saveDir) guard is always true — see inline comment on cli.ts:716. After applyDefaults(), saveDir is guaranteed to be set in --all-builds mode. Not a bug, but the guard implies it might be absent.

• release.rake — Adding verify_gh_auth to the perform_release pre-flight checks alongside verify_npm_auth is a sensible improvement. It surfaces a missing GitHub auth early rather than failing mid-release.

• Tests — Good coverage for both new validations. The tests correctly mock console.error and check the right exit code. One minor style note: the mockConsoleError setup/teardown pattern is repeated identically in both new tests; the existing test suite's describe blocks might be a natural place for a shared beforeEach/afterEach if more tests of this shape are added, but it's fine as-is for two cases.

• docs/node_package_api.md — Pure cosmetic table alignment, no concerns.

Overall this is a clean, focused fix. The redundant guard is the only thing worth tidying before merge.

[claude]

Review: All-Builds Validation Fix

The core logic is sound - adding path-traversal and annotate/format validation to runAllBuildsCommand is the right fix, and the tests cover the new error paths well.

Two issues worth addressing:

1. Missing await on runAllBuildsCommand (cli.ts line 100)

runAllBuildsCommand is async, so returning it unawaited means run()'s surrounding try/catch won't intercept any rejection that escapes runAllBuildsCommand's own catch block. Currently saveBuildEnvironmentVariables() is called before the try block in runAllBuildsCommand (line 704), so a throw there would produce a rejected Promise that bypasses run()'s error handler entirely. Compare with how runValidateCommand is handled on line 95 - it's correctly awaited.

Fix: return await runAllBuildsCommand(options)

2. Noisy / inconsistent comment (cli.ts line 717)

The // Validates for path traversal; throws on unsafe paths. Return value intentionally discarded. comment appears on the safeResolvePath call in runAllBuildsCommand, but the identical call pattern in run() (lines 114, 117) has no such comment. The throw-on-unsafe contract is already documented on the function itself in pathValidation.ts. This comment adds noise without adding clarity.

---

Everything else looks good: the verify_gh_auth pre-flight addition in release.rake is a sensible improvement (fail early rather than during GH release creation), the doc table reformatting is harmless, and the Gemfile.lock version bump is expected.

[claude]

This comment is unnecessary and inconsistent — the identical safeResolvePath calls in run() (lines 114 and 117) have no such annotation. The function's own JSDoc in pathValidation.ts already documents that it throws on unsafe paths. Consider removing the comment to match the established pattern.

Suggested change

	// Validates for path traversal; throws on unsafe paths. Return value intentionally discarded.
	safeResolvePath(appRoot, resolvedOptions.saveDir)

[claude]

Code Review: The fix is correct. run() early-returns into runAllBuildsCommand() before validations run, so --all-builds silently skipped path-traversal and annotate+format checks. The fix is right. Key observations: (1) Duplicate validation in run() lines 111-125 and runAllBuildsCommand() lines 715-726 - a cross-reference comment would help. (2) output path not validated in runAllBuildsCommand - fine since --all-builds skips --output, but a comment explaining why would help. (3) safeResolvePath called for side effect only - comment is adequate. (4) Tests look good. (5) .prettierignore has Temporarily comment without a tracking issue - consider linking one. (6) verify_gh_auth pre-flight in release.rake is a good improvement. Overall: bug is correctly fixed, tests added, scope is tight. Looks good to merge.

[claude]

This validation block mirrors the one in run() (lines 121-125). Since run() early-exits to runAllBuildsCommand() before those lines execute, the duplication is necessary — but it creates a maintenance risk. A cross-reference comment (e.g. // Keep in sync with validation in run()) or a small shared helper would make the relationship explicit and reduce the chance of one copy drifting.

[claude]

The run() path also validates resolvedOptions.output (line 113-114), but that is intentionally omitted here since --all-builds always writes to a directory and never uses --output. A short comment noting that omission would save the next reader a trip to run() to verify it was not overlooked.

[justin808]

why?

[justin808]

The original PR had actions/checkout@v6, which doesn't exist — the latest stable release is v4. This was flagged by the automated review and has been fixed to @v4.