Security and code quality improvements

Addresses security issues and optimizations identified in code review:

Security Fixes:
- Fix command injection risk in precompile hook by using IO.popen with array
  form instead of backticks (spec/dummy/bin/shakapacker-precompile-hook:76)
- Improve regex patterns to exclude commented configuration lines using
  negative lookahead to prevent false matches

Code Quality:
- Optimize webpack configuration to process rules in single pass instead of
  double iteration, improving build performance
- Combine SCSS loader addition and CSS Modules configuration into one loop

Documentation:
- Add comprehensive CHANGELOG.md entry documenting Shakapacker 9.0.0 upgrade
  including configuration changes, precompile hook, and compatibility notes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: justin808

CHANGELOG.md

@@ -31,6 +31,15 @@ Changes since the last non-beta release.
 
 - **Improved RSC Payload Error Handling**: Errors that happen during generation of RSC payload are transferred properly to rails side and logs the error message and stack. [PR #1888](https://github.com/shakacode/react_on_rails/pull/1888) by [AbanoubGhadban](https://github.com/AbanoubGhadban).
 
+#### Changed
+
+- **Shakapacker 9.0.0 Upgrade**: Upgraded Shakapacker from 8.2.0 to 9.0.0 with Babel transpiler configuration for compatibility. Key changes include:
+  - Configured `javascript_transpiler: babel` in shakapacker.yml (Shakapacker 9.0 defaults to SWC which has PropTypes handling issues)
+  - Added precompile hook support via `bin/shakapacker-precompile-hook` for ReScript builds and pack generation
+  - Configured CSS Modules to use default exports (`namedExport: false`) for backward compatibility with existing `import styles from` syntax
+  - Fixed webpack configuration to process SCSS rules and CSS loaders in a single pass for better performance
+    [PR 1904](https://github.com/shakacode/react_on_rails/pull/1904) by [justin808](https://github.com/justin808).
+
 #### Bug Fixes
 
 - **Use as Git dependency**: All packages can now be installed as Git dependencies. This is useful for development and testing purposes. See [CONTRIBUTING.md](./CONTRIBUTING.md#git-dependencies) for documentation. [PR #1873](https://github.com/shakacode/react_on_rails/pull/1873) by [alexeyr-ci2](https://github.com/alexeyr-ci2).

spec/dummy/bin/shakapacker-precompile-hook

@@ -61,8 +61,9 @@ def generate_packs_if_needed
 
   # Check if auto-pack generation is configured (match actual config assignments, not comments)
   config_file = File.read(initializer_path)
-  has_auto_load = config_file =~ /^\s*config\.auto_load_bundle\s*=/
-  has_components_subdir = config_file =~ /^\s*config\.components_subdirectory\s*=/
+  # Match uncommented configuration lines only (lines not starting with #)
+  has_auto_load = config_file =~ /^\s*(?!#).*config\.auto_load_bundle\s*=/
+  has_components_subdir = config_file =~ /^\s*(?!#).*config\.components_subdirectory\s*=/
   return unless has_auto_load || has_components_subdir
 
   puts "📦 Generating React on Rails packs..."
@@ -71,8 +72,8 @@ def generate_packs_if_needed
   bundle_available = system("bundle", "--version", out: File::NULL, err: File::NULL)
   return unless bundle_available
 
-  # Check if rake task exists (cross-platform)
-  task_list = `bundle exec rails -T 2>&1`
+  # Check if rake task exists (use array form for security)
+  task_list = IO.popen(["bundle", "exec", "rails", "-T"], err: [:child, :out], &:read)
   return unless task_list.include?("react_on_rails:generate_packs")
 
   # Use array form for better cross-platform support

spec/dummy/config/webpack/commonWebpackConfig.js

@@ -21,18 +21,17 @@ const sassLoaderConfig = {
   },
 };
 
-// Add sass-resources-loader to all SCSS rules (both .scss and .module.scss)
-baseClientWebpackConfig.module.rules.forEach((rule) => {
-  if (rule.test && '.scss'.match(rule.test) && Array.isArray(rule.use)) {
-    rule.use.push(sassLoaderConfig);
-  }
-});
-
-// Configure CSS Modules to use default exports (Shakapacker 9.0 compatibility)
-// Shakapacker 9.0 defaults to namedExport: true, but we use default imports
-// To restore backward compatibility with existing code using `import styles from`
+// Process webpack rules in single pass for efficiency
 baseClientWebpackConfig.module.rules.forEach((rule) => {
   if (Array.isArray(rule.use)) {
+    // Add sass-resources-loader to all SCSS rules (both .scss and .module.scss)
+    if (rule.test && '.scss'.match(rule.test)) {
+      rule.use.push(sassLoaderConfig);
+    }
+
+    // Configure CSS Modules to use default exports (Shakapacker 9.0 compatibility)
+    // Shakapacker 9.0 defaults to namedExport: true, but we use default imports
+    // To restore backward compatibility with existing code using `import styles from`
     rule.use.forEach((loader) => {
       if (
         loader &&