Update CHANGELOG for v9.5.0 release

[justin808]

Summary

• Move Unreleased content to v9.5.0 section with January 7, 2026 date
• Add placeholder for new Unreleased section
• Update version comparison links at the bottom of the file

Test plan

• Verify changelog formatting is correct
• Verify version links work correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated changelog for v9.5.0 release with security, added, changed, and fixed sections.

• Bug Fixes

  • Gemfile.lock is now excluded from the published gem.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[claude]

Code Review for PR #861

Summary

This PR prepares the CHANGELOG for the v9.5.0 release by moving unreleased content to a versioned section and updating comparison links.

✅ Positive Observations

1. Correct Version Link Updates: The version comparison links are properly updated:

   • [Unreleased] now compares v9.5.0...main
   • New [v9.5.0] link added comparing v9.4.0...v9.5.0

2. Proper Release Date: January 7, 2026 matches the PR creation date

3. Clean Placeholder: _None yet._ follows the existing pattern for empty Unreleased sections

4. Critical Security Fix Documentation: The PR properly documents a serious security vulnerability fix (environment variable leak), which is essential for users to understand the urgency of upgrading

⚠️ Issues Found

1. Inconsistent Formatting - Missing Trailing Newlines (Critical per CLAUDE.md)

The diff shows 3 instances where blank lines were added after numbered list items (lines 254, 271, 537). While this improves readability, it creates inconsistent formatting:

• Lines 254-255: Blank line added after item 1 of "Breaking Changes"
• Lines 271-272: Blank line added after item 2 of "Breaking Changes"
• Line 537-538: Blank line added in v7.0.0 section

Issue: These formatting changes appear unintentional and unrelated to the v9.5.0 release. They modify historical changelog entries for v9.0.0 and v7.0.0.

Recommendation: Either:

• Remove these formatting changes to keep the PR focused on v9.5.0 release preparation only
• If intentional, mention in the PR description that you're also cleaning up formatting consistency

Looking at the existing file, I can see that other numbered lists don't have these blank lines consistently, so adding them here creates an inconsistent pattern.

2. No Test Coverage Mentioned

While the PR includes a test plan checklist:

• Verify changelog formatting is correct
• Verify version links work correctly

These items are unchecked. It would be good to verify:

• The markdown renders correctly on GitHub
• The comparison links work (you can test by clicking them once merged)

📋 Minor Observations

1. Date Format: "January 7, 2026" is consistent with other entries (e.g., "November 22, 2025" for v9.4.0) ✓

2. Breaking Change Documentation: The v9.5.0 entry clearly marks the EnvironmentPlugin change as BREAKING, which is correct ✓

3. Migration Guidance: Good inclusion of migration examples for the breaking change ✓

🔒 Security Considerations

The changelog properly emphasizes the CRITICAL security fix. Users should note:

• This fixes a vulnerability present since webpacker v1.0.0 (January 2017)
• Action required: Rotate any secrets that may have been exposed
• The fix introduces a breaking change (allowlist approach)

📊 Overall Assessment

Code Quality: Good
Changelog Accuracy: Excellent
Main Concern: Unrelated formatting changes to historical entries

Recommendation

Approve with changes: Consider removing the 3 blank line additions in the v9.0.0 and v7.0.0 sections (lines 255, 272, 538 in the new file) to keep this PR focused solely on the v9.5.0 release preparation.

If the formatting cleanup is intentional, please:

1. Mention it in the PR description
2. Consider doing comprehensive formatting cleanup in a separate PR
3. Update the entire file consistently rather than just 3 instances

[claude]

Code Review for v9.5.0 CHANGELOG Update

Overview

This PR updates the CHANGELOG to prepare for the v9.5.0 release. The changes are straightforward and follow the standard release preparation pattern.

---

✅ Positive Findings

1. Correct version link format: The new version links follow the established pattern correctly:

   • [Unreleased]: https://github.com/shakacode/shakapacker/compare/v9.5.0...main
   • [v9.5.0]: https://github.com/shakacode/shakapacker/compare/v9.4.0...v9.5.0

2. Proper placeholder: Added _None yet._ placeholder for the new Unreleased section, which is clean and consistent.

3. Date format: Uses "January 7, 2026" which matches the existing format in the CHANGELOG (e.g., "November 22, 2025" for v9.4.0).

---

⚠️ Issues Found

1. CRITICAL: Version files not updated

The PR only updates CHANGELOG.md, but the actual version files still reference 9.4.0:

• lib/shakapacker/version.rb:3 still has VERSION = "9.4.0".freeze
• package.json:3 still has "version": "9.4.0"

Impact: This will cause the gem and npm package to still be published as 9.4.0 instead of 9.5.0.

Required action: Update both version files before releasing:

# lib/shakapacker/version.rb
VERSION = "9.5.0".freeze

// package.json
"version": "9.5.0"

2. Unintended formatting changes

The diff shows several blank lines added to existing content (lines 252, 271, 537 in the diff). These appear to be unintended formatting changes in the v9.0.0, v9.0.0-beta.0, and v8.0.0 sections:

• After "SWC is now the default JavaScript transpiler" (line 254)
• After "CSS Modules now use named exports" (line 271)
• In the v8.0.0 section (line 537)

Impact: These create unnecessary diffs that don't serve the release purpose and violate the "keep changes focused and minimal - avoid extraneous diffs" guideline from CLAUDE.md.

Recommendation: Remove these blank line additions unless they're intentionally fixing formatting issues. If the latter, they should be in a separate PR.

---

📋 Pre-Release Checklist

Before merging, ensure:

• Update lib/shakapacker/version.rb to "9.5.0"
• Update package.json to "9.5.0"
• Remove unintended blank line changes
• Run bundle exec rubocop (as per CLAUDE.md guidelines)
• Verify all version comparison links work correctly
• Confirm the date (January 7, 2026 vs January 8, 2026 - today's date)

---

🔍 Date Discrepancy Note

The PR description and CHANGELOG show January 7, 2026, but today's date is January 8, 2026. If the release is being cut today, the date should be updated to January 8, 2026 to match the actual release date.

---

Summary

The CHANGELOG structure is correct, but this PR is incomplete for a release as it doesn't update the version files. The unintended formatting changes should also be addressed. Once the version files are updated and the extra blank lines are removed, this will be ready to merge.

[coderabbitai]

Walkthrough

This change introduces a new v9.5.0 release block to CHANGELOG.md with Security, Added, Changed, and Fixed sections, including a fix noting that Gemfile.lock is excluded from the published gem. Unreleased anchor references are updated to point to v9.5.0, with formatting adjustments for readability.

Changes

Cohort / File(s)	Summary
Changelog Updates CHANGELOG.md	Added v9.5.0 release section with Security, Added, Changed, and Fixed subsections; updated Unreleased references to v9.5.0; adjusted formatting and spacing.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Update CHANGELOG.md for v9.3.0-beta.0 #718: Modifies CHANGELOG.md by adding a new release section and updating Unreleased references in parallel manner.
• Update CHANGELOG.md with recent PRs #690: Edits CHANGELOG.md's release and Unreleased sections with overlapping structural changes.

Poem

🐰 A version released in markdown so neat,
Nine-five-oh takes its rightful seat!
Security patched, new features unfold,
The changelog's story is timely told,
A rabbit rejoices—the release is complete! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update CHANGELOG for v9.5.0 release' directly and accurately describes the main change in the PR, which is updating the CHANGELOG.md file to document the v9.5.0 release.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jg/changelog-9.5.0

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3074164 and ff53542.

📒 Files selected for processing (1)

• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (1)

CHANGELOG.md

📄 CodeRabbit inference engine (CLAUDE.md)

CHANGELOG.md: Update CHANGELOG.md for user-visible changes only (features, bug fixes, breaking changes, deprecations, performance improvements)
Do NOT add CHANGELOG entries for: linting, formatting, refactoring, tests, or documentation fixes
Use changelog format: [PR #123](https://github.com/shakacode/shakapacker/pull/123) by [username](https://github.com/username) - Shakapacker uses # in PR links

Files:

• CHANGELOG.md

🧠 Learnings (7)

📓 Common learnings

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Applies to CHANGELOG.md : Use changelog format: `[PR #123](https://github.com/shakacode/shakapacker/pull/123) by [username](https://github.com/username)` - Shakapacker uses `#` in PR links

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md for user-visible changes only (features, bug fixes, breaking changes, deprecations, performance improvements)

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Applies to CHANGELOG.md : Do NOT add CHANGELOG entries for: linting, formatting, refactoring, tests, or documentation fixes

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Run `bundle exec rake update_changelog` after releases to update version headers

📚 Learning: 2025-12-22T04:44:25.430Z

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md for user-visible changes only (features, bug fixes, breaking changes, deprecations, performance improvements)

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-12-22T04:44:25.430Z

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Applies to CHANGELOG.md : Do NOT add CHANGELOG entries for: linting, formatting, refactoring, tests, or documentation fixes

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-12-22T04:44:25.430Z

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Run `bundle exec rake update_changelog` after releases to update version headers

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-12-22T04:44:25.430Z

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: This gem supports both webpack and rspack configurations - test changes with both bundlers when modifying core functionality

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-12-22T04:44:25.430Z

Learnt from: CR
Repo: shakacode/shakapacker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-22T04:44:25.430Z
Learning: Applies to CHANGELOG.md : Use changelog format: `[PR #123](https://github.com/shakacode/shakapacker/pull/123) by [username](https://github.com/username)` - Shakapacker uses `#` in PR links

Applied to files:

• CHANGELOG.md

📚 Learning: 2024-10-09T10:46:03.499Z

Learnt from: marvinthepa
Repo: shakacode/shakapacker PR: 520
File: lib/shakapacker/utils/manager.rb:19-19
Timestamp: 2024-10-09T10:46:03.499Z
Learning: In `lib/install/template.rb` of the Shakapacker project, calls to `PackageJson.read` are wrapped inside `Dir.chdir(Rails.root)`, ensuring that `package.json` is read from the Rails root directory.

Applied to files:

• CHANGELOG.md

🔇 Additional comments (2)

CHANGELOG.md (2)

10-51: LGTM! The v9.5.0 release section is well-structured with proper formatting.

The changelog entry correctly:

• Uses the canonical PR link format ([PR #123](...) with # prefix) for all references
• Includes only user-visible changes (security fixes, new features, breaking changes, gemspec fix)
• Maintains consistent date formatting (January 7, 2026)
• Provides clear migration guidance in the Changed section with code examples

---

809-810: Version comparison links updated correctly.

The version anchors at the bottom properly reflect the new release:

• Unreleased now correctly points to v9.5.0...main
• New v9.5.0 entry created with correct version range (v9.4.0...v9.5.0)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review for PR #861

✅ Overall Assessment

This PR correctly prepares the CHANGELOG for the v9.5.0 release. The changes follow the project's changelog conventions and are well-structured.

---

📋 What's Good

1. Proper formatting: The changelog entries follow the established format with correct PR links using # syntax (e.g., [PR #857])
2. Version link updates: The comparison links at the bottom are correctly updated:
   • [Unreleased] now compares v9.5.0...main
   • [v9.5.0] compares v9.4.0...v9.5.0
3. Unreleased section: Properly added _None yet._ placeholder for future changes
4. Minimal diff: Only 13 additions, 1 deletion - focused changes as expected

---

⚠️ Issues Found

1. Date Mismatch - MINOR

The PR uses "January 7, 2026" but the PR was created on January 8, 2026 (2026-01-08T03:54:24Z). This is likely fine if the release was tagged on January 7th, but worth verifying.

Verification needed:

# Check if a v9.5.0 tag exists and when it was created
git tag -l 'v9.5.0' --format='%(refname:short) %(creatordate:short)'

2. Version Hasn't Been Bumped Yet - BLOCKING

The version is still 9.4.0 in both:

• lib/shakapacker/version.rb: VERSION = "9.4.0"
• package.json: "version": "9.4.0"

Before this CHANGELOG PR can be merged, the version files must be updated to 9.5.0. The changelog update should be part of the release PR or should follow immediately after the version bump.

---

🔍 Additional Observations

Accidental Formatting Changes

The diff shows some unrelated formatting changes (extra blank lines added):

• Lines 257-258: Extra newline added before Babel migration list item
• Line 266: Extra newline added before CSS Modules list item
• Line 275: Extra newline added before dev server configuration list item

These appear to be accidental whitespace changes that don't affect the v9.5.0 release content. While harmless, they create noise in the diff. Consider whether these should be:

1. Kept (if they improve readability)
2. Removed (to keep the PR focused only on v9.5.0 changes)
3. Split into a separate cleanup PR

---

✅ Test Plan Verification

The PR's test plan items are appropriate:

• ✅ Verify changelog formatting is correct - PASSED (follows established conventions)
• ⚠️ Verify version links work correctly - NEEDS VERIFICATION (links are correctly formatted, but won't work until v9.5.0 tag is created)

---

📝 Recommendations

1. REQUIRED: Update version to 9.5.0 in:

   • lib/shakapacker/version.rb
   • package.json

2. OPTIONAL: Consider removing the unrelated formatting changes (lines 257, 266, 275) to keep this PR focused solely on v9.5.0 release

3. SUGGESTED: Verify the release date is correct (January 7 vs January 8, 2026)

4. REMINDER: After merging and releasing v9.5.0, the project has a rake task for version management:

   bundle exec rake update_changelog

---

🎯 Conclusion

The changelog content is excellent and properly structured. However, this PR cannot be merged until the version is bumped to 9.5.0 in the version files. Otherwise, the gem release will fail or create version mismatch issues.

Recommendation: Either add version bump commits to this PR, or ensure version files are updated in a separate PR before/alongside this one.