Configure Dependabot

[alexeyr-ci2]

Summary

Security alerts are now enabled, configure Dependabot to only do security upgrades (for now at least).

Pull Request checklist

• Add/update test to cover these changes
• Update documentation
• Update CHANGELOG file

Summary by CodeRabbit

• Chores
  • Enabled automated dependency management with weekly, security-only updates and grouped scanning per ecosystem
  • Expanded merger and operational documentation with configuration guidance, risk mitigation, rollback procedures, license compliance checks, and CI/governance workflow updates

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new Dependabot v2 configuration that schedules weekly, security-only updates for npm/pnpm, bundler (two gem dirs), and GitHub Actions with a 3-day cooldown; expands MONOREPO_MERGER_PLAN.md with Dependabot guidance, configuration mapping, risk/rollback procedures, CI/license integration samples, and workflow instructions.

Changes

Cohort / File(s)	Summary
Dependabot configuration /.github/dependabot.yml	New Dependabot v2 YAML: weekly schedules for root npm workspace, bundler in /react_on_rails and /react_on_rails_pro, and github-actions; open-pull-requests-limit set to 0 (security-only), cooldown/default-days = 3, grouped by ecosystem (security update groups).
Merger plan documentation docs/MONOREPO_MERGER_PLAN.md	Expanded plan with a "Configuration Files" section, Dependabot current/final YAML examples and update triggers, risk phases and rollback steps, CI/tooling excludes, license-compliance guidance and hooks, and concrete pre/post move configuration samples.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Validate .github/dependabot.yml syntax and that directories/ecosystem entries match repo layout
• Confirm documentation examples/snippets reflect the final Dependabot/YAML structure

Possibly related PRs

• Add monorepo merger plan documentation for React on Rails #1817 — Related updates to MONOREPO_MERGER_PLAN.md and Dependabot guidance; likely overlaps in documentation content.

Suggested reviewers

• Judahmeek
• AbanoubGhadban

Poem

🐰 I hopped through YAML lines tonight,

grouped updates snug and tidy, light,
weekly watches, security bright,
docs aligned — the merge feels right,
carrots for CI, a celebratory bite 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Configure Dependabot' directly and clearly summarizes the main change: adding a Dependabot configuration file to enable security-focused dependency updates across multiple ecosystems.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alexeyr/configure-dependabot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review: Dependabot Configuration

I've reviewed PR #2147 and found several issues that need to be addressed before merging.

---

🚨 Critical Issues

1. Invalid Directory Reference: /spec/react_on_rails/dummy-for-generators

Issue: Line 28 references a directory that doesn't exist in the repository.

# Line 28 - INCORRECT
- package-ecosystem: "npm"
  directory: "/spec/react_on_rails/dummy-for-generators"

Evidence:

$ find . -path "*/spec/react_on_rails/dummy-for-generators" -type d
# No results - directory does not exist

Impact: Dependabot will fail to process this configuration entry, logging errors in the security tab.

Recommendation: Remove this entire update entry (lines 26-37) unless this directory is planned to be added soon. If it's part of future work, document this in a TODO comment.

---

2. Invalid minimum-release-age Value

Issue: The minimum-release-age field expects days as an integer, not just a number (lines 19, 32, 45, 58, 71).

Current (INCORRECT):

minimum-release-age: 3

Should be:

# Option 1: Specify unit explicitly (GitHub's recommendation)
versioning-strategy: increase

# OR Option 2: Remove entirely if not needed
# (3 days is not a standard Dependabot feature - this may be ignored)

According to GitHub Dependabot documentation:

• There is NO minimum-release-age field in the official Dependabot configuration schema
• This appears to be a misunderstanding of Dependabot's capabilities
• Dependabot does not have built-in functionality to wait for packages to "mature" before updating

Impact: This field will be silently ignored by Dependabot. If the intent is to avoid newly published packages that might be unpublished (npm's 72-hour unpublish window), this configuration does NOT achieve that goal.

Recommendation: Remove all minimum-release-age lines unless you can provide documentation that this is a valid field. If waiting for package maturity is truly required, this needs to be handled via external tooling, not Dependabot.

---

⚠️ Configuration Validation Issues

3. Duplicate Group Names Across Ecosystems

Issue: Using the same group name npm-security for both root and dummy-for-generators directories (lines 21 and 34).

Current:

# Root workspace
groups:
  npm-security:  # Used here
    applies-to: security-updates

# Dummy app  
groups:
  npm-security:  # And again here
    applies-to: security-updates

Impact: While this might work, it's unclear if Dependabot will merge these or treat them separately. Best practice is unique group names per update entry.

Recommendation:

# Root workspace
groups:
  npm-security-root:
    applies-to: security-updates

# Dummy app (if kept)
groups:
  npm-security-dummy:
    applies-to: security-updates

---

📋 Best Practices & Suggestions

4. Unclear Purpose of open-pull-requests-limit: 0 with Security Updates

Current behavior:

• open-pull-requests-limit: 0 disables ALL version updates
• But security updates are typically exempted from this limit by GitHub

Suggestion: Add a comment clarifying this behavior:

# Disable version update PRs - only security updates will be created
# Note: Security updates bypass the open-pull-requests-limit
open-pull-requests-limit: 0

This makes the intent crystal clear for future maintainers.

---

5. Missing Bundler Configuration Context

The comments mention these directories will change during Phase 6 of the monorepo merger, but there's no validation that the current paths are correct.

Recommendation: Verify these paths exist with lock files:

# Verify bundler directories
ls -la react_on_rails/Gemfile.lock
ls -la react_on_rails_pro/Gemfile.lock

Confirmed: ✅ Both paths are correct for the current state.

---

🔍 Documentation Review: MONOREPO_MERGER_PLAN.md

6. Good Addition of Configuration Files Section

✅ Positive: The new "Configuration Files" section (lines 749-794 in the diff) is excellent. It provides:

• Clear table of files requiring updates
• Before/after examples for Dependabot config
• Guidance on when to update

Suggestion: Consider adding validation commands to the checklist:

**When to Update dependabot.yml:**
- When Gemfile locations change
  - Verify: `find . -name "Gemfile.lock" | grep -v node_modules`
- When package.json files are added/moved/removed  
  - Verify: `find . -name "package.json" | grep -v node_modules`

---

✅ What's Good

1. Security-first approach - Limiting to security updates only is a safe starting point
2. Grouped updates - Using groups prevents PR spam
3. Comprehensive coverage - Covers npm, bundler, and GitHub Actions
4. Well-documented - Comments explain the intent clearly
5. Monorepo planning - MONOREPO_MERGER_PLAN.md additions are thorough

---

🛠️ Action Items

Before merging:

1. ❌ MUST FIX: Remove or fix /spec/react_on_rails/dummy-for-generators entry
2. ❌ MUST FIX: Remove invalid minimum-release-age fields (or provide documentation)
3. ⚠️ SHOULD FIX: Use unique group names per update entry
4. ℹ️ NICE TO HAVE: Add validation commands to MONOREPO_MERGER_PLAN.md

Testing:

After fixing, validate the configuration:

# GitHub provides a config validator (requires GitHub CLI with proper permissions)
gh api repos/shakacode/react_on_rails/dependabot/secrets

# Or commit and check the "Security" tab → "Dependabot" for errors

---

📚 References

• Dependabot configuration options
• Dependabot security updates
• Grouping Dependabot updates

---

Overall Assessment: This PR needs fixes before merging, primarily the non-existent directory reference and invalid minimum-release-age field. The documentation additions are valuable. Once the critical issues are resolved, this will be a solid foundation for Dependabot security updates.

[claude]

Pull Request Review: Configure Dependabot

I've reviewed this PR and have some critical findings regarding the Dependabot configuration paths.

---

✅ Positive Aspects

1. Security-focused approach: Correctly configured for security-only updates with open-pull-requests-limit: 0
2. Minimum release age: The 3-day minimum release age is a smart defense against unpublished NPM packages
3. Grouped updates: Properly groups security updates per ecosystem, which will keep PRs manageable
4. Good documentation: Excellent comments explaining the configuration choices

---

🚨 Critical Issue: Invalid Directory Path

Problem: Line 28 references a directory that doesn't exist:

# Generator dummy app (uses yarn, separate from main workspace)
- package-ecosystem: "npm"
  directory: "/spec/react_on_rails/dummy-for-generators"  # ❌ INVALID PATH

Evidence:

• This directory is listed in .gitignore (lines 19-21)
• It's a generated test directory, not a committed one
• The actual path should be: /react_on_rails/spec/react_on_rails/dummy-for-generators
• It's created dynamically during generator tests (see react_on_rails/spec/react_on_rails/generators/install_generator_spec.rb:8)

Why this matters:

• Dependabot will fail silently when trying to access this non-existent path
• Even if the path were corrected, it targets a gitignored, generated directory
• Generated test directories shouldn't have Dependabot monitoring

Recommendation: Remove this entire entry (lines 26-37). The generator dummy is ephemeral test infrastructure, not a production dependency location.

---

⚠️ Issue: Incorrect Bundler Paths

The bundler directory paths are incorrect for the current repository structure:

Current configuration:

- directory: "/react_on_rails"      # Line 41
- directory: "/react_on_rails_pro"  # Line 54

Actual structure (verified via filesystem):

/home/runner/work/react_on_rails/react_on_rails/
├── react_on_rails/          # Subdirectory containing the gem
│   ├── Gemfile
│   └── react_on_rails.gemspec
└── react_on_rails_pro/      # Subdirectory containing the pro gem
    ├── Gemfile
    └── react_on_rails_pro.gemspec

Analysis:
The paths in the configuration assume these directories are at the repo root, but they're actually subdirectories of the monorepo root. This is consistent with the monorepo structure documented in docs/MONOREPO_MERGER_PLAN.md.

Recommendation: The paths are actually correct for a monorepo where gems are in subdirectories. Dependabot interprets directory: "/react_on_rails" as relative to the repo root, which is correct.

However: Please verify this works by checking Dependabot's behavior after merge. If Dependabot can't find the Gemfiles, the paths need adjustment.

---

📋 Missing Verification Checklist

Per CLAUDE.md section "Managing File Paths in Configuration Files", these steps should be completed:

Before merging, verify:

1. ✅ All referenced directories actually exist (or will exist when needed)
2. ⚠️ Test that Dependabot can access the configured paths
3. ⚠️ Confirm each directory contains the expected manifest file:
   • / → pnpm-lock.yaml (✅ verified)
   • /react_on_rails → Gemfile.lock (✅ verified)
   • /react_on_rails_pro → Gemfile.lock (✅ verified)
   • /spec/react_on_rails/dummy-for-generators → ❌ doesn't exist

---

📝 Documentation Quality

The updates to docs/MONOREPO_MERGER_PLAN.md are excellent:

• ✅ Adds Dependabot to the configuration files tracking table
• ✅ Documents the future state after Phase 6 merge
• ✅ Provides clear before/after examples
• ✅ Explains when to update the file

---

🔧 Recommended Changes

   # NPM/PNPM packages - root workspace (covers packages/react-on-rails, etc.)
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
     # Disable version update PRs - only security updates will be created
     open-pull-requests-limit: 0
     minimum-release-age: 3
     groups:
       npm-security:
         applies-to: security-updates
         patterns:
           - "*"
 
-  # Generator dummy app (uses yarn, separate from main workspace)
-  - package-ecosystem: "npm"
-    directory: "/spec/react_on_rails/dummy-for-generators"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 0
-    minimum-release-age: 3
-    groups:
-      npm-security:
-        applies-to: security-updates
-        patterns:
-          - "*"
-
   # Ruby gems - Open source gem
   - package-ecosystem: "bundler"
     directory: "/react_on_rails"

---

✅ Summary

MUST FIX before merge:

• ❌ Remove the invalid /spec/react_on_rails/dummy-for-generators entry

Should verify after merge:

• ⚠️ Monitor Dependabot's first run to ensure it can access /react_on_rails and /react_on_rails_pro directories
• ⚠️ Check GitHub Security tab for any Dependabot errors about inaccessible directories

Overall assessment: Good security configuration marred by one invalid path entry. The documentation additions are valuable. With the recommended fix, this will provide solid automated security updates for the monorepo.

---

References:

• Project guidelines: .claude/docs/managing-file-paths.md
• Monorepo plan: docs/MONOREPO_MERGER_PLAN.md
• Dependabot docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/MONOREPO_MERGER_PLAN.md (1)

479-479: Capitalize "GitHub" consistently.

The static analysis tool flagged three instances where "GitHub" should be capitalized per the official branding.

Apply these diffs to fix the capitalization:

- [ ] **Update `.github/dependabot.yml`** to reflect final directory structure:
+ [ ] **Update `.GitHub/dependabot.yml`** to reflect final directory structure:

| `.github/dependabot.yml` | `directory:` entries for bundler/npm ecosystems |
| `.GitHub/dependabot.yml` | `directory:` entries for bundler/npm ecosystems |

- The `.github/dependabot.yml` file configures automated security updates. It must be kept in sync with the repository structure.
+ The `.GitHub/dependabot.yml` file configures automated security updates. It must be kept in sync with the repository structure.

Note: Actually, looking at the actual file path convention, .github with lowercase is the standard GitHub directory naming, so these should remain lowercase .github while only the company name "GitHub" should be capitalized. The static analysis tool may be flagging a false positive here. Disregard this comment in favor of keeping .github directories lowercase as per GitHub convention.

Also applies to: 755-755, 763-763

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a411917 and 164f41b.

📒 Files selected for processing (2)

• .github/dependabot.yml (1 hunks)
• docs/MONOREPO_MERGER_PLAN.md (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*

📄 CodeRabbit inference engine (CLAUDE.md)

ALWAYS ensure files end with a newline character before committing/pushing

Files:

• docs/MONOREPO_MERGER_PLAN.md

🧠 Learnings (13)

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Resolve merge conflicts by: resolving logical conflicts first, verifying file paths with grep, testing affected scripts, auto-fixing formatting with `rake autofix`, and testing critical scripts if build configs changed

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: The `react_on_rails_pro/` directory has its own Prettier/ESLint configuration and must be linted separately

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to /CHANGELOG.md : Update `/CHANGELOG.md` for user-visible changes (features, bug fixes, breaking changes, deprecations, performance improvements) to the open-source React on Rails gem and npm package

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md
• .github/dependabot.yml

📚 Learning: 2025-04-26T21:55:55.874Z

Learnt from: alexeyr-ci2
Repo: shakacode/react_on_rails PR: 1732
File: spec/dummy/client/app-react16/startup/ReduxSharedStoreApp.client.jsx:40-44
Timestamp: 2025-04-26T21:55:55.874Z
Learning: In the react_on_rails project, files under `app-react16` directories are copied/moved to corresponding `/app` directories during the conversion process (removing the `-react16` suffix), which affects their relative import paths at runtime.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to lib/react_on_rails/*.rb : Create RBS signature files for new Ruby files in `lib/react_on_rails/` by adding corresponding `.rbs` file in `sig/react_on_rails/`, adding to Steepfile, and validating before committing

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-02-12T16:38:06.537Z

Learnt from: Romex91
Repo: shakacode/react_on_rails PR: 1697
File: package-scripts.yml:28-28
Timestamp: 2025-02-12T16:38:06.537Z
Learning: The file `node_package/lib/ReactOnRails.full.js` is autogenerated during the build process and should not be present in the repository.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-10-23T17:22:01.074Z

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1875
File: lib/react_on_rails/utils.rb:112-124
Timestamp: 2025-10-23T17:22:01.074Z
Learning: In React on Rails, when Pro is installed but not licensed, the intended behavior is to raise an error on boot. The `react_on_rails_pro?` method validates licenses and should raise errors early (including during path resolution in methods like `server_bundle?`) to enforce licensing requirements rather than failing later with obscure errors.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to **/*.{rb,rake} : ALWAYS run `bundle exec rubocop` and fix ALL violations before every commit/push

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to /CHANGELOG*.md : Use changelog format: `[PR 1818](https://github.com/shakacode/react_on_rails/pull/1818) by [username](https://github.com/username)` (no hash in PR number)

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-09-15T21:24:48.207Z

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1781
File: node_package/src/ClientSideRenderer.ts:82-95
Timestamp: 2025-09-15T21:24:48.207Z
Learning: In React on Rails, the force_load feature includes both explicit `data-force-load="true"` usage and the ability to hydrate components during the page loading state (`document.readyState === 'loading'`). Both capabilities require a Pro license, so the condition `!railsContext.rorPro && (isComponentForceLoaded || document.readyState === 'loading')` correctly gates both scenarios.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to /CHANGELOG_PRO.md : Update `/CHANGELOG_PRO.md` for Pro-only features, fixes, and changes affecting Pro packages

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: For infrastructure/config changes affecting directory structure, file paths, build configurations, or CI workflows, conduct comprehensive local testing before pushing (the '15-Minute Rule')

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-01-23T18:20:45.824Z

Learnt from: alexeyr-ci
Repo: shakacode/react_on_rails PR: 1687
File: spec/dummy/package.json:0-0
Timestamp: 2025-01-23T18:20:45.824Z
Learning: When adding or updating dependencies in spec/dummy/package.json, maintain version consistency with other package.json files in the codebase to avoid potential version conflicts.

Applied to files:

• .github/dependabot.yml

🪛 LanguageTool

docs/MONOREPO_MERGER_PLAN.md

[uncategorized] ~479-~479: The official name of this software platform is spelled with a capital “H”.
Context: ...e paths and dependencies - [ ] Update .github/dependabot.yml to reflect final dire...

(GITHUB)

---

[uncategorized] ~755-~755: The official name of this software platform is spelled with a capital “H”.
Context: ...----------------------------------- | | .github/dependabot.yml | directory: entries ...

(GITHUB)

---

[uncategorized] ~763-~763: The official name of this software platform is spelled with a capital “H”.
Context: ... | ### Dependabot Configuration The .github/dependabot.yml file configures automat...

(GITHUB)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: dummy-app-node-renderer-e2e-tests
• GitHub Check: rspec-dummy-app-node-renderer
• GitHub Check: package-js-tests
• GitHub Check: dummy-app-integration-tests (3.4, 22, latest)
• GitHub Check: examples (3.4, latest)
• GitHub Check: rspec-package-tests (3.4, latest)
• GitHub Check: build

🔇 Additional comments (8)

docs/MONOREPO_MERGER_PLAN.md (2)

749-786: Align Dependabot configuration guidance with current PR state and verify examples.

The new "Configuration Files" section provides clear guidance for Dependabot updates during the merger. Verify that the pre-Phase 6 and post-Phase 6 examples accurately reflect the current implementation (.github/dependabot.yml).

Currently, the repository is in pre-Phase 6 state with separate /react_on_rails and /react_on_rails_pro directories. The configuration examples at lines 765-786 correctly show this state. However, ensure the "When to update dependabot.yml" section (lines 788-793) accurately captures all scenarios requiring updates.

Considerations:

• The current dependabot.yml (lines 765-786) matches the pre-Phase 6 example
• Post-Phase 6 example correctly shows consolidated bundler entry at root /
• Examples are clear and actionable for future phases
• "When to update" section covers directory structure changes, workspace additions, and lock file relocations

No immediate issues detected. This section aligns well with the actual .github/dependabot.yml configuration.

---

1-1: Verify file ends with newline character.

Per coding guidelines, all files must end with a newline before committing/pushing.

Please verify that the file docs/MONOREPO_MERGER_PLAN.md ends with a newline character (checking the end of line 943 or the final content).

Also applies to: 950-950

.github/dependabot.yml (6)

1-8: Clear and accurate comments explaining Dependabot security-only strategy.

The introductory comments at the top of the file provide excellent context: they explain that only security updates will be created (via open-pull-requests-limit: 0), describe the grouping strategy, and justify the 3-day minimum release age for npm stability. This is helpful for future maintainers.

---

9-24: NPM root workspace configuration is correct for security-only updates.

The root / npm ecosystem entry correctly targets the pnpm workspace as documented in MONOREPO_MERGER_PLAN.md (lines 773-774). The open-pull-requests-limit: 0 ensures only security PRs are created, and the npm-security group with applies-to: security-updates is the proper Dependabot v2 syntax for this behavior.

---

26-37: Generator dummy app configuration correctly handles separate yarn workspace.

The /spec/react_on_rails/dummy-for-generators entry appropriately targets the generator dummy app which uses yarn independently from the root pnpm workspace. Configuration mirrors the root npm entry with identical security-only strategy, which is consistent.

---

39-63: Bundler entries for both gems match current pre-Phase 6 structure.

Both the core gem (/react_on_rails) and pro gem (/react_on_rails_pro) have separate bundler entries, which correctly reflects the current monorepo state before Phase 6 restructuring. The configuration aligns exactly with the pre-Phase 6 example documented in MONOREPO_MERGER_PLAN.md (lines 769-775).

Post-Phase 6, per the plan documentation (lines 779-786), these will be consolidated to a single / entry. Ensure the plan document is referenced when making that transition.

---

65-76: GitHub Actions ecosystem configuration follows consistent security-only pattern.

The GitHub Actions entry at the root / directory follows the same security-only grouping strategy as the other ecosystems. Weekly schedule and 3-day minimum release age are consistent across the file.

---

1-1: Verify file ends with newline character.

Per coding guidelines, all files must end with a newline before committing/pushing.

Please verify that the file .github/dependabot.yml ends with a newline character after line 76.

Also applies to: 76-76

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docs/MONOREPO_MERGER_PLAN.md (2)

479-481: Clarify the timing of .github/dependabot.yml update.

Line 479 mentions updating .github/dependabot.yml as a Phase 6 task, but this PR (#2147) is already creating/configuring Dependabot. The task description should clarify whether:

1. This PR creates the initial .github/dependabot.yml configuration (matching the "Current" state shown at line 765–775)?
2. Phase 6 will later update it to the "Final" state (shown at line 777–786)?

The current phrasing may confuse readers about when Dependabot configuration first exists and when it needs adjustment during the merger.

Consider updating the Phase 6 task description to something like:

- [ ] **Update `.github/dependabot.yml`** (created in PR #2147) to reflect final directory structure:
  - Remove `/react_on_rails_pro` bundler entry (directory no longer exists)
  - Update bundler directory from `/` (initial root entry) to `/` (unchanged; both gemspecs now at root)

This makes clear that the file already exists from PR #2147 and Phase 6 is adjusting it post-restructuring.

---

749-793: Excellent addition: Configuration Files section clarifies Dependabot and tooling synchronization.

The new "Configuration Files" section (lines 749–793) is well-structured and provides:

• A clear table mapping files to update (line 753–759)
• Concrete "Current" vs. "Final" Dependabot YAML examples (lines 765–786)
• Practical guidance on when to update dependabot.yml (lines 788–793)

This bridges the gap between the merger phases and configuration maintenance, making it easier for implementers to track what needs updating at each step.

One suggestion: expand line 788–793 to explicitly mention that PR #2147 creates the initial .github/dependabot.yml, so Phase 6 (and later phases) adjust it as structure changes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 164f41b and cad12dc.

📒 Files selected for processing (2)

• .github/dependabot.yml (1 hunks)
• docs/MONOREPO_MERGER_PLAN.md (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/dependabot.yml

🧰 Additional context used

📓 Path-based instructions (1)

**/*

📄 CodeRabbit inference engine (CLAUDE.md)

ALWAYS ensure files end with a newline character before committing/pushing

Files:

• docs/MONOREPO_MERGER_PLAN.md

🧠 Learnings (12)

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Resolve merge conflicts by: resolving logical conflicts first, verifying file paths with grep, testing affected scripts, auto-fixing formatting with `rake autofix`, and testing critical scripts if build configs changed

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: The `react_on_rails_pro/` directory has its own Prettier/ESLint configuration and must be linted separately

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to /CHANGELOG.md : Update `/CHANGELOG.md` for user-visible changes (features, bug fixes, breaking changes, deprecations, performance improvements) to the open-source React on Rails gem and npm package

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-04-26T21:55:55.874Z

Learnt from: alexeyr-ci2
Repo: shakacode/react_on_rails PR: 1732
File: spec/dummy/client/app-react16/startup/ReduxSharedStoreApp.client.jsx:40-44
Timestamp: 2025-04-26T21:55:55.874Z
Learning: In the react_on_rails project, files under `app-react16` directories are copied/moved to corresponding `/app` directories during the conversion process (removing the `-react16` suffix), which affects their relative import paths at runtime.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to lib/react_on_rails/*.rb : Create RBS signature files for new Ruby files in `lib/react_on_rails/` by adding corresponding `.rbs` file in `sig/react_on_rails/`, adding to Steepfile, and validating before committing

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-02-12T16:38:06.537Z

Learnt from: Romex91
Repo: shakacode/react_on_rails PR: 1697
File: package-scripts.yml:28-28
Timestamp: 2025-02-12T16:38:06.537Z
Learning: The file `node_package/lib/ReactOnRails.full.js` is autogenerated during the build process and should not be present in the repository.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-10-23T17:22:01.074Z

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1875
File: lib/react_on_rails/utils.rb:112-124
Timestamp: 2025-10-23T17:22:01.074Z
Learning: In React on Rails, when Pro is installed but not licensed, the intended behavior is to raise an error on boot. The `react_on_rails_pro?` method validates licenses and should raise errors early (including during path resolution in methods like `server_bundle?`) to enforce licensing requirements rather than failing later with obscure errors.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to **/*.{rb,rake} : ALWAYS run `bundle exec rubocop` and fix ALL violations before every commit/push

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to /CHANGELOG*.md : Use changelog format: `[PR 1818](https://github.com/shakacode/react_on_rails/pull/1818) by [username](https://github.com/username)` (no hash in PR number)

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-09-15T21:24:48.207Z

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1781
File: node_package/src/ClientSideRenderer.ts:82-95
Timestamp: 2025-09-15T21:24:48.207Z
Learning: In React on Rails, the force_load feature includes both explicit `data-force-load="true"` usage and the ability to hydrate components during the page loading state (`document.readyState === 'loading'`). Both capabilities require a Pro license, so the condition `!railsContext.rorPro && (isComponentForceLoaded || document.readyState === 'loading')` correctly gates both scenarios.

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: Applies to /CHANGELOG_PRO.md : Update `/CHANGELOG_PRO.md` for Pro-only features, fixes, and changes affecting Pro packages

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

📚 Learning: 2025-11-25T08:05:17.804Z

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-25T08:05:17.804Z
Learning: For infrastructure/config changes affecting directory structure, file paths, build configurations, or CI workflows, conduct comprehensive local testing before pushing (the '15-Minute Rule')

Applied to files:

• docs/MONOREPO_MERGER_PLAN.md

🪛 LanguageTool

docs/MONOREPO_MERGER_PLAN.md

[uncategorized] ~479-~479: The official name of this software platform is spelled with a capital “H”.
Context: ...e paths and dependencies - [ ] Update .github/dependabot.yml to reflect final dire...

(GITHUB)

---

[uncategorized] ~755-~755: The official name of this software platform is spelled with a capital “H”.
Context: ...----------------------------------- | | .github/dependabot.yml | directory: entries ...

(GITHUB)

---

[uncategorized] ~763-~763: The official name of this software platform is spelled with a capital “H”.
Context: ... | ### Dependabot Configuration The .github/dependabot.yml file configures automat...

(GITHUB)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: rspec-package-tests (3.4, latest)
• GitHub Check: build-dummy-app-webpack-test-bundles (3.4, 22, latest)
• GitHub Check: pro-lint-js-and-ruby
• GitHub Check: build-dummy-app-webpack-test-bundles
• GitHub Check: examples (3.4, latest)
• GitHub Check: build-dummy-app-webpack-test-bundles
• GitHub Check: build
• GitHub Check: claude-review

🔇 Additional comments (1)

docs/MONOREPO_MERGER_PLAN.md (1)

666-674: License Compliance Framework updates are clear and actionable.

The expanded section (lines 666–674) now explicitly lists MIT vs. Pro directory classifications and emphasizes LICENSE.md accuracy. The three critical rules are well-stated and provide immediate, testable guidance.

No concerns here—this strengthens the document's emphasis on compliance boundaries, which is essential given the project's mixed-licensing model.