From 891ecbd068c4ce649c37f4f8405cf46036283999 Mon Sep 17 00:00:00 2001 From: Justin Gordon Date: Sun, 5 Jul 2026 22:34:06 -1000 Subject: [PATCH 1/2] Update CHANGELOG.md and package version for 19.3.0-rc.0 --- CHANGELOG.md | 4 ++-- package.json | 2 +- tests/package-runtime-policy.test.ts | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0656c20..6c7b18d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ All notable changes to this package will be documented in this file. -## [Unreleased] +## [19.3.0-rc.0] - 2026-07-05 ### Added - Added RSC server resource hint helpers for preloading assets, styles, scripts, fonts, and images, plus preconnect and DNS-prefetch support for already-resolved production asset URLs. The default `react-on-rails-rsc/server` fallback keeps failing fast at import time without the `react-server` condition while still publishing the expanded type surface. ([#143]) @@ -65,7 +65,7 @@ All notable changes to this package will be documented in this file. ### Security - Updated the vendored `react-server-dom-webpack` runtime from React 19.0.3 to the React 19.0.7 security level, applying the React 19.0.4 fixes for CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779 plus the React 19.0.7 reply-decoding denial-of-service fixes for CVE-2026-23869 (GHSA-479c-33wc-g2pg) and CVE-2026-23870 (GHSA-rv78-f8rc-xrxh). Note: the upstream CVE-2026-23869 fix changes the reply wire format for nested `FormData`, so client and server must both run the patched runtime shipped by this package. ([#48]) ([#86]) -[Unreleased]: https://github.com/shakacode/react_on_rails_rsc/compare/19.2.0...HEAD +[19.3.0-rc.0]: https://github.com/shakacode/react_on_rails_rsc/compare/19.2.0...19.3.0-rc.0 [19.2.0]: https://github.com/shakacode/react_on_rails_rsc/compare/19.0.5...19.2.0 [19.0.5]: https://github.com/shakacode/react_on_rails_rsc/compare/19.0.4...19.0.5 diff --git a/package.json b/package.json index e46cce8..f9ced79 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "react-on-rails-rsc", - "version": "19.2.0", + "version": "19.3.0-rc.0", "description": "React Server Components support for react_on_rails Ruby gem", "exports": { "./client": { diff --git a/tests/package-runtime-policy.test.ts b/tests/package-runtime-policy.test.ts index c114ce7..e79ece4 100644 --- a/tests/package-runtime-policy.test.ts +++ b/tests/package-runtime-policy.test.ts @@ -30,15 +30,15 @@ const collectExportTargets = (value: unknown): string[] => { }; describe('19.2 runtime release policy', () => { - it('stamps the package and changelog for the 19.2.0 release line', () => { + it('stamps the package and changelog for the 19.3.0 release line', () => { const pkg = readJson('package.json'); const changelog = fs.readFileSync(path.join(repoRoot, 'CHANGELOG.md'), 'utf8'); // Derive the expected version from package.json so a version bump doesn't - // require editing this test (a hard-coded version here previously blocked - // the rc.3 release). Still pins the 19.2.0 release line and requires the + // require editing this test between RC and final stamps. Still pins the + // current package release line and requires the // CHANGELOG's top entry to match the package version exactly. - expect(pkg.version).toMatch(/^19\.2\.0(?:-rc\.\d+)?$/); + expect(pkg.version).toMatch(/^19\.3\.0(?:-rc\.\d+)?$/); const topChangelogVersion = changelog.match(/^## \[([^\]]+)\] - \d{4}-\d{2}-\d{2}$/m)?.[1]; expect(topChangelogVersion).toBe(pkg.version); }); From 2ef5043fa1d0d923fe4c92e9570edef38ad2477e Mon Sep 17 00:00:00 2001 From: Justin Gordon Date: Sun, 5 Jul 2026 22:43:23 -1000 Subject: [PATCH 2/2] Keep release candidate on React 19.2 package line --- CHANGELOG.md | 4 ++-- package.json | 2 +- tests/package-runtime-policy.test.ts | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c7b18d..9119210 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ All notable changes to this package will be documented in this file. -## [19.3.0-rc.0] - 2026-07-05 +## [19.2.1-rc.0] - 2026-07-05 ### Added - Added RSC server resource hint helpers for preloading assets, styles, scripts, fonts, and images, plus preconnect and DNS-prefetch support for already-resolved production asset URLs. The default `react-on-rails-rsc/server` fallback keeps failing fast at import time without the `react-server` condition while still publishing the expanded type surface. ([#143]) @@ -65,7 +65,7 @@ All notable changes to this package will be documented in this file. ### Security - Updated the vendored `react-server-dom-webpack` runtime from React 19.0.3 to the React 19.0.7 security level, applying the React 19.0.4 fixes for CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779 plus the React 19.0.7 reply-decoding denial-of-service fixes for CVE-2026-23869 (GHSA-479c-33wc-g2pg) and CVE-2026-23870 (GHSA-rv78-f8rc-xrxh). Note: the upstream CVE-2026-23869 fix changes the reply wire format for nested `FormData`, so client and server must both run the patched runtime shipped by this package. ([#48]) ([#86]) -[19.3.0-rc.0]: https://github.com/shakacode/react_on_rails_rsc/compare/19.2.0...19.3.0-rc.0 +[19.2.1-rc.0]: https://github.com/shakacode/react_on_rails_rsc/compare/19.2.0...19.2.1-rc.0 [19.2.0]: https://github.com/shakacode/react_on_rails_rsc/compare/19.0.5...19.2.0 [19.0.5]: https://github.com/shakacode/react_on_rails_rsc/compare/19.0.4...19.0.5 diff --git a/package.json b/package.json index f9ced79..701ff31 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "react-on-rails-rsc", - "version": "19.3.0-rc.0", + "version": "19.2.1-rc.0", "description": "React Server Components support for react_on_rails Ruby gem", "exports": { "./client": { diff --git a/tests/package-runtime-policy.test.ts b/tests/package-runtime-policy.test.ts index e79ece4..00b004c 100644 --- a/tests/package-runtime-policy.test.ts +++ b/tests/package-runtime-policy.test.ts @@ -30,7 +30,7 @@ const collectExportTargets = (value: unknown): string[] => { }; describe('19.2 runtime release policy', () => { - it('stamps the package and changelog for the 19.3.0 release line', () => { + it('stamps the package and changelog for the 19.2.1 release line', () => { const pkg = readJson('package.json'); const changelog = fs.readFileSync(path.join(repoRoot, 'CHANGELOG.md'), 'utf8'); @@ -38,7 +38,7 @@ describe('19.2 runtime release policy', () => { // require editing this test between RC and final stamps. Still pins the // current package release line and requires the // CHANGELOG's top entry to match the package version exactly. - expect(pkg.version).toMatch(/^19\.3\.0(?:-rc\.\d+)?$/); + expect(pkg.version).toMatch(/^19\.2\.1(?:-rc\.\d+)?$/); const topChangelogVersion = changelog.match(/^## \[([^\]]+)\] - \d{4}-\d{2}-\d{2}$/m)?.[1]; expect(topChangelogVersion).toBe(pkg.version); });